Re: Sql Injection big5 consultancy

[Justin <justin-fulldisclosure () soze net>]

Blue Boar (2003-06-23 16:21Z) wrote:

> joseph blater wrote:
> > What should I do? Tell them their whole HR system is vulnerable and face 
> > the risks of being charged for something?
> > Although owning certs from most vendors, I never got to work for a top5. 
> > Shall I take the risk and use this vuln to help me getting a job?
>
> Well, considering that they're called that because there are only 5 or so 
> of them... and that they all have pen test people who read this list... I 
> would guess that this problem will take care of itself.

Maybe, just maybe, one of the "pen test people" you presume are trolling
their halls might read this thread and notice the problem.  But the
chances of such people existing is rather slim given that they had sql
injection problems to start with.

Chances are, if he doesn't report it, they'll never know anything is
wrong unless/until someone hacks them and does noticeable damage, or
unless they hire someone with a clue who audits their web server logs.

-- 
Freedom's untidy, and free people are free to make mistakes and commit
crimes and do bad things.  They're also free to live their lives and do
wonderful things.   --Rumsfeld, 2003-04-11
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html