Re: Vendor casual towards vulnerability found in product

["morning_wood" <se_cur_ity () hotmail com>]

> I have the following queries
>
> 1. Would an exploit like this be said to be severe?

yes

> 2. Is the vendor right in their approach to this issue?

not entirely

> 3. How do I make public the vulnerability? (Vendor has given permission for
> the same)

post it here, on your site, or another security list

> 4. Ok, I'll rather ask... *should* I make public details of this
> vulnerability? (Since I know of sites using this app server, and they may be
> taken down if the exploit goes out)

yes, mabey the vendor will wake up


that said, It seems the vendor knows of the flaw, and is easily remedied by the
aforementioned
"non default" setting and documentation reflecting that it is a "good thing" to
enable said option.
 Often a disclosure policy helps vendors "stay on track"

some disclosure policys can be found at..

http://oisafety.org/
http://oisafety.org/process.html

http://exploitlabs.com/disclosure-policy.html
http://www.cert.org/kb/vul_disclosure.html
http://www.atstake.com/research/policy/
http://www.hut.fi/~tianyuan/slides/template/template.html


Donnie Werner
http://exploitlabs.com











_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html