MustLive mustlive at websecurity.com.ua
Sun May 27 16:50:15 EDT 2012

Hello guys!

I have a question for you about IBM. Does anybody has successfully contacted
them, when they officially answered and fixed vulnerabilities in their
software, since Leandro Meiners (since 2005)?

When I've informed them many times in 2006-2008 concerning multiple
vulnerabilities at multiple web sites of IBM and IBM ISS, they just ignored
and not fixed or some of them first ignored and later hiddenly fixed. But it
were their sites and I was hoping that concerning their software products
they have different behavior.

But when last week, during 16.05-20.05, I've sent five advisories to IBM
concerning multiple vulnerabilities, which I have found (in May during
pentest) in IBM Lotus Notes and Domino and IBM Lotus Notes Traveler, they
just ignored. So they've demonstrated the same behavior, as concerning
their web sites. And there are a lot of Cross-Site Scripting, Information
Leakage, Brute Force, Insufficient Authentication, Cross-Site Request
Forgery, Redirector and HTTP Response Splitting vulnerabilities in their
software, which I've informed them about. Which can be used for full
compromise of the server and the network of those, who use IBM's software
(as it was done during my pentest).

After the fourth e-mail to IBM security department, when there were still no
answers from them, I've resent the fourth letter to their support (hoping
that they would be more serious). The support answered on the next day very
funny, not the same lame as Cisco answered me in 2008 concerning
vulnerabilities at their sites (which I considered as most lamest vendor
response, much more then those nominees on Pwnie Awards), but still not
serious enough. The letter was "standard one", that they are in receipt of
my e-mail reporting and apologize for any inconvenience I may have
experienced. When I've drew support's attention, that I've wrote already
five letters to their security department (and just one sent to support)
about multiple vulnerabilities in their software products and haven't
received any answers from them, and I had "no issues with working with
their software" (as he tried to state in his letter), then I've received
another letter from other IBM employee, which wrote the same "standard
phrases" and added that for informing about issues with software I can call
them by phone :-). And already week after that there is still no answers
from them (as it was predictable since 16.05). This is how IBM caring about
security of their software, particularly Lotus Notes and Domino and Lotus
Notes Traveler.

Best wishes & regards,
Administrator of Websecurity web site

More information about the websecurity mailing list