Re: radware AppWall Web Application Firewall: Source code disclosure on management interface

[Vladimir '3APA3A' Dubrovin <3APA3A () SECURITY NNOV RU>]

Dear Shaked  Vax,

 Are  you  sure  Radware  Team have analysed reflected attack via user's
 browser  (AppWall  administrator visits malcrafted page, page redirects
 his request to AppWall) before excluding remote vector?

--Thursday, July 2, 2009, 3:23:16 PM, you wrote to full-disclosure () lists grok org uk:

SV> Radware team has completed analysis of the reported issue, concluding
SV> that no AppWall customer using the product  according to Radware
SV> deployment recommendations would be exposed to vulnerability as a result
SV> of this issue. This is due to the facts that this issue exists only on
SV> the management interface that is recommended to be connection to
SV> internal LAN only, and that it does not allow performing any actions
SV> that would influence machine functionality.
SV>  Nevertheless, in order to enforce our commitment to deliver top
SV> security solution to our customers, Radware will supply a fix for this
SV> issue within its upcoming AppWall release.

SV> Shaked Vax
SV> AppWall Product Manager 
SV> ShakedV () radware com 
 

SV> _______________________________________________
SV> Full-Disclosure - We believe in it.
SV> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
SV> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Но Гарри... я безусловно отдаю предпочтение ему, за
высокую питательность и какое-то особенно нежное мясо. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/