Re: NuralStorm Webmail Multiple Vulnerabilities

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

  as much as I hate to feed the trolls perhaps I should provide some
more context for my evaluation of NuralStorm webmail.  The project is
indeed quite aged, so much so that you are required to monkey with the
default PHP register globals settings to get it to run (which should tip
anyone interested in the project off that it might not be safe).
Unfortunately I actually came across the project because I found it as a
service offering from a legitimate company.  I was careful to mention
the age explicitly in my advisory because I am aware that it isn't a
recent project and thus is pretty easy pickings for any dedicated
security researcher.  Amazingly though, in the eight years since the
project has been released there have only been a couple security
vulnerabilities disclosed (notably CVE-2006-5386), which might lead a
casual observer to conclude that the project was safe for use.  I think
NuralStorm serves as a great example of the types of false metrics that
can sometimes be used to justify security.  Nevertheless, it wasn't
something I just picked out of the trash bin or dug up on random free
software download archives - NuralStorm is actively deployed, unpatched,
on the internet, and thus my disclosure was meant to warn folks who
might have the project in use, as it is immensely exploitable and no
longer under any sort of active development.  Unfortunately I won't be
able to work with the developers to try and update and secure this
project, which should ultimately be the goal of open source security
research.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 07/15/2010 05:44 AM, Pavel Kankovsky wrote:
> On Mon, 12 Jul 2010, musnt live wrote:
>
> > Performing security research and disclosure of projects over 8 years
> > old is stupid [...]
>
> If people spent more time studying mistakes made 8 years ago (or even
> more than 50 years ago (*)) they would not repeat them today as 
> often as they do.
>
> (*) In-band signalling in telephone networks.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkw+/XUACgkQkSlsbLsN1gDGDgb+IQB7EqdR1eZQHMstzn+imaqR
3Qu3/qEeeul0/lv5gxLcdbzoDmxuQ226vyZEwXcSt7fuBPo4lnbWguWJlzsIaP1I
KQpbfq2giuYQhU2w8htXEYYwScmZxTz2sMYXaOJMqB3I/VZCY8Grw7oJmeDUzY/x
TnMESF8UowmdkJzkSCrvEU7qN0MfJkASWiF1oz1P6fJvn4sos07C+Jj7PhOx/gmK
PD22YEGfVUoH4IPiYmblsqvR9r8dAqlgGehIG0oi+oe8avxq19lGD0KhLvDQokXM
lq+rYjXrsD945Lc5kug=
=JQTA
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/