RE: Vendor casual towards vulnerability found in product

[Harlan Carvey <keydet89 () yahoo com>]

> > > Perhaps.  What is the real risk of destroying
> > > configuration files, if backups are being made?
> They restore from backup, someone erases them again,
> they restore, someone erases again, they restore...

Right, I understand that.  However, as a consultant,
I've seen places where incremental backups were made
several times a day, b/c users had a habit of moving
folders off of the server, and then deleting the
folder when they were done w/ the files in it.  Rather
than "train" the users, the admins took all of the
work on themselves.

> I would like to say that yes, I am none too happy
> with the way the vendor has reacted to this. And I
> shall explain why. I am responsible for few of the
> production sites exposed and vulnerable to this flaw
> since they run this product. And there is nothing I
> can do to fix them since the flaw is core to the
> product. 

I thought you mentioned something about a module or
something in your first post...something the vendor
knew about but never bothered to document...

> If this is known to anyone outside of the
> vendors team, my servers are roadkill. And this
> thought doesnt really give me a warm feeling inside.

Well, besides the ability to wreak havok, someone has
to actually do something.  For your servers to be
roadkill, someone has to actually launch a properly
formatted attack.

I know what you're thinking at this point..."if I
could figure it out, then surely a malicious
person/blackhat could have figured it out already,
too".  Well...maybe.  But who knows?  There's a great
deal of speculation about that sort of thing happening
with all sorts of vulnerabilities, but no actual
evidence to support it.
 
> Thanks all for your comments, I think I know what to
> do now.

Ok...good luck.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html