Re: mod_ibm_ssl & mod_ssl

[Esteban Martinez Fayo <secemf () yahoo com ar>]

Hi,

IBM rarely issues advisories, not because their
products don't have security bugs, but because they
don't want the people to know about them.
I discovered and reported to them some vulnerabilities
in IBM WebSphere last year, some of them are fixed
now, but they never published advisories.

For example this one:
Remote Buffer overflow in WebSphere Application Server
Administrative Console
http://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.html
Has no advisory from IBM. They just included one line
of information in the List of Updates
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27004990
as APAR PK02002.
As you can see the option for more information about
the APAR PK02002 is disabled, there is no link.

Also there is a cross site scripting that I discovered
that is fixed for IBM WAS version 5.
It is listed as fixed in APAR PQ99687 but there is no
advisory from IBM.

I don't think that hiding this kind of information
will make IBM customers to be more secure.

Regards,

Esteban Martínez Fayó
Argeniss - Information Security
http://www.argeniss.com



--- jipi dini <jipidini () gmail com> wrote:

> Hi,
>
>    what is used in mod_ibm_ssl with WebSphere?
>    I am wondering in an advisory affecting mod_ssl
> is also affecting
> mod_ibm_ssl.
>
>   Seems like there is never any advisories relased
> for WebSphere.
>   This is built on top of apache right ?
>
> --
> Thanks,
> JiPi DiNi



                
__________________________________ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/