[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerabilities in NovaBoard

... ciao:

: on "4-21-2010" "MustLive" writ:

    and about which, i find me confused.

: you can saw the letter which was posted last week by one developer of 
: one such vulnerable web application ---
    from my reading of that exchange, i "thought" the author a 'system 
administrator', rather THAN, the programmer of the flawed application.  
from my experience, a sysadmin seldom enjoys the freedom programmers 

: it's only way to draw attention of web developers to these issues.

: Timeline:
: 17.03.2010 - found vulnerabilities.
: 02.04.2010 - disclosed at my site.
: 03.04.2010 - informed developers.

    that would be correct, if an only if, captcha limitations were 
unknown to this community at 'this' point in time.  that, is clearly, not 
the case.
    if memory serves, you took exception to another's inability to act 
quickly in response to your discovery.  yet, there is NO chance of that 
happening given your 'notification' policy.  further, i do not recall 
mention of a workaround, or mitigation path.

    "attention of web developers to these issues"
    i've been watching this list prior to the "code-red" epidemic.  
cisco 675 routers puked on code-red.  i was the first to post a 
workaround, when i mentioned the problem i was having the device.  given 
the objective you've outlined, i have to wonder what kind of attemtion 
you seek.  as a given:
    1.  your dicsoveries are like those of IE; big whoop.
    2.  you offer no solutions, or methods to mitigate the problem.
    3.  you offer < "ZERO" warning to those that need it most.
    4.  it looks like you're trying to drive traffic to your domain.
    do you really think this a way to be taken seriously in this 
community ...


... i'm a man, but i can change,
    if i have to , i guess ...