[WEB SECURITY] RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting in Google

PPowenski at oag.com PPowenski at oag.com
Tue Jul 11 09:30:25 EDT 2006


As long as there are NO RULES i.e. standards which companies MUST adhere
to in order to ensure an application is built for suitability for
purpose and a basic set of security principles the current state of
software development will continue. 
There will be those large software vendors which will bend to pressure
from large corporations but without a LEGAL framework the huge numbers
of small to middle size applications vendors who would prefer smoke and
mirrors will continue with that theme since it is zero cost.




-----Original Message-----
From: tcp fin [mailto:inet_inaddr at yahoo.com] 
Sent: 11 July 2006 05:30
To: Martin O'Neal; drfrancky at securax.org; RSnake
Cc: bugtraq at cgisecurity.net; full-disclosure at lists.grok.org.uk;
bugtraq at securityfocus.com; webappsec at securityfocus.com;
websecurity at webappsec.org
Subject: RE: [Full-disclosure] Re: [WEB SECURITY] Cross Site Scripting
in Google


Hey Martin , 
I agree with u partly but there are vendors out there
in the market who has Dont know DOnt care attitude. If
thats the case after idetifying and exploiting the vulnerability in the
same vendor product , I personally would not like to waste my and your
time with vendor who did not give us fav response before. 
I would refrain from taking names but I have seen that happening in the
past and still some of those vul are existing in those products. However
no one can deny Full Disclosure with responsibility the responsible
Disclosure !!! Regards, 
TCP-FIN


--- Martin O'Neal <martin.oneal at corsaire.com> wrote:

> 
> > my opinion is that full disclosure is not for
> vendors ..
> > it's for users. full disclosure is for us to know
> how to
> > react on certain threads.
> 
> Which is just fine if you are technically competent
> to understand the
> threat, and there is also a valid mitigating
> strategy you can employ
> immediately.  For the vast majority of situations
> though, this just
> isn't the case.  The users are not technically
> competent enough to
> understand the true threat posed by an entry on a
> news group (which are
> generally hopelessly incomplete and/or factually
> inaccurate) and then
> this is coupled with a vulnerable product that may
> be essential,
> difficult to protect, and a stable official fix that
> may be weeks or
> months away from delivery.
> 
> I personally also believe in full disclosure, but it
> has to be delivered
> in a responsible fashion.  Dispatching
> vulnerabilities to a public list
> without even attempting to contact the vendor is
> clearly not in the best
> interest of the vendors nor the great majority of
> the user base.
> 
> Martin...
> 
> 
> 
>
----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files
> transmitted with it are
> confidential and intended solely for the use of the
> recipient(s) only.
> Any review, retransmission, dissemination or other
> use of, or taking
> any action in reliance upon this information by
> persons or entities
> other than the intended recipient(s) is prohibited.
> If you have
> received this e-mail in error please notify the
> sender immediately
> and destroy the material whether stored on a
> computer or otherwise.
>
----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within
> this e-mail are
> solely those of the author and do not necessarily
> represent those
> of Corsaire Limited, unless otherwise specifically
> stated.
>
----------------------------------------------------------------------
> Corsaire Limited, 3 Tannery House, Tannery Lane,
> Send, Surrey, GU23 7EF
> Telephone: +44(0)1483-226000
> Email:info at corsaire.com
> 
> 
>
------------------------------------------------------------------------
-
> Sponsored by: Watchfire
> 
> Securing a web application goes far beyond testing
> the application using
> manual processes, or by using automated systems and
> tools. Watchfire's
> "Web Application Security: Automated Scanning or
> Manual Penetration
> Testing?" whitepaper examines a few vulnerability
> detection methods -
> specifically comparing and contrasting manual
> penetration testing with
> automated scanning tools. Download it today!
> 
>
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
>
------------------------------------------------------------------------
--
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
-
Sponsored by: Watchfire

Cross-Site Scripting (XSS) is one of the most common application-level 
attacks that hackers use to sneak into web applications today. This 
whitepaper will discuss how traditional CSS attacks are performed, how
to 
secure your site against these attacks and check if your site is
protected. 
Cross-Site Scripting Explained - Download this whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmr
------------------------------------------------------------------------
--
This e-mail is intended for the named recipient(s).  It and any attachments may contain privileged and/or confidential information. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient.  If you are not one of the intended recipients, or this email is received in error, please immediately either notify the sender or contact OAG Worldwide Limited on +44 (0) 1582 600111 quoting the name of the sender and the email address to which it has been sent and then delete it and any attachment(s). 
While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Limited and its affiliate companies cannot guarantee that attachments do not contain any viruses or are compatible with your systems, and does not accept liability in respect of viruses or computer problems experienced. Neither OAG Worldwide Limited nor the sender accepts any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments.  
OAG Worldwide Limited may monitor or record outgoing and incoming e-mail to secure effective system operation and for other lawful purposes.  By replying to this email you give your consent to such monitoring. 
Thank you.
OAG Worldwide Limited is a company registered in England and Wales (registered number 4226716), with its registered office at Church Street, Dunstable, Bedfordshire, LU5 4HB, United Kingdom.


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list