WebApp Sec mailing list archives
Re: mod_ibm_ssl & mod_ssl
From: Esteban Martinez Fayo <secemf () yahoo com ar>
Date: Wed, 12 Oct 2005 13:14:31 -0700 (PDT)
Hi, IBM rarely issues advisories, not because their products don't have security bugs, but because they don't want the people to know about them. I discovered and reported to them some vulnerabilities in IBM WebSphere last year, some of them are fixed now, but they never published advisories. For example this one: Remote Buffer overflow in WebSphere Application Server Administrative Console http://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.html Has no advisory from IBM. They just included one line of information in the List of Updates http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27004990 as APAR PK02002. As you can see the option for more information about the APAR PK02002 is disabled, there is no link. Also there is a cross site scripting that I discovered that is fixed for IBM WAS version 5. It is listed as fixed in APAR PQ99687 but there is no advisory from IBM. I don't think that hiding this kind of information will make IBM customers to be more secure. Regards, Esteban Martínez Fayó Argeniss - Information Security http://www.argeniss.com --- jipi dini <jipidini () gmail com> wrote:
Hi, what is used in mod_ibm_ssl with WebSphere? I am wondering in an advisory affecting mod_ssl is also affecting mod_ibm_ssl. Seems like there is never any advisories relased for WebSphere. This is built on top of apache right ? -- Thanks, JiPi DiNi
__________________________________ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/
Current thread:
- mod_ibm_ssl & mod_ssl jipi dini (Oct 12)
- Re: mod_ibm_ssl & mod_ssl Esteban Martinez Fayo (Oct 12)