To satisfy us lowly users who have responsibilities to 5000 members and thier personal information, I would like to understand if you have learned anything from this and intentions moving forward? How should he, or anyone inform you of these things in the future? How can they escalate if you ignore?
allanhardy wrote:Per howdarks sight the developers actualy banned his IP from here, called his ISP and accused him of some nasty stuff, and basically screwed with him. Whats that about?
allanhardy wrote:In any case, the 2.0.11 doesn't mention Highlight issue?
Fixed XSS vulnerability in username handling - AnthraX101
allanhardy wrote:However upon research and hearing how you have handled the warnings about this over the past month, and handled howdark in general, I am left asking if you all feel you have the right policies and procedures in place? Have you learned anything from this? Your tactics against Howdark seem petty and foolish, at least in hindsite. Of course I do not have a full picture.
Because of the way my security group is being laid out, we want to make sure we get credits for submitting them, not because we want fame and glory, just because want to keep it open that we were the actual ones who found them, and helped support phpBB. (sounds sortve contradicting, but its just the way we decided on it).
If on agreement, we are also going to make sure you put out a patch, before we release it out our security site
We encourage the use of spreading knowledge.
If met under these terms, we will make sure you are first to hear, since we are really in the mood to break down phpbb into parts and help fix everything piece by piece.
Thanks<3! This would work especially well if you could chat with me on AIM.
For our group leader: Brett (emu so emo)
me: My nightindreams.
Let me start by saying that I very strongly believe it's the responsibility of anyone finding a vulnerability in any application to first submit that to the authors of the relevant software ... no if's, no but's, no maybe's and certainly no pre-conditions To not submit an issue and give vendors a reasonable opportunity to correct it puts untold numbers of people at risk.
<snip nothing of great importance to this topic>
We here take all such submissions seriously and release updated versions as deemed necessary. Not all "vulnerabilities" are vulnerabilities, not all require immediate patching, etc. etc. Equally we note in the changelog the names of those who submit issues to us ... however it is my strongly held opinion that people should not submit issues just to "associate" their name with an application. I've submitted issues with other software to the relevant authors before and I have never expected recognition for it. IMO it's a case of doing what's right.
We request all security related issues be submitted to our tracker. That way the development "group" can respond appropriately. This ensures a "written" record of any problems, eliminating issues we've had in the past were people claimed to submit issues when in fact they hadn't. Equally it allows responses not just by myself but by others in that group.
I hope that answers your questions.
I agree, but I also agree credit deserves to be where credit is due. I didn't sit in front of your software for days for no reason. I'm here to make phpBB better and safer. To work faster then the people who try to abuse it.
I don't really see it a responsibility though. I'm actually morely if anything disappointed in what i've seen after scrolling through these files. There are numerous areas only protected by shear luck of intval, also tons of sloppy spelling mistakes.
And don't even get me started on the email scripts. Did you guys forget about those years ago?
I guess we'll just see how things work out.
Without wishing to start a flamewar here ... "Tons of sloppy spelling mistakes" ... come on, have you read your own PM's to me? If you say "you spelled authorization" incorrectly I'll scream
As for "luck of intval" ... it's called variable casting. Now it's very true to say we didn't do enough of this in 2.0.0 and upon problems being found by ourselves or others we've addressed them. Equally in 2.2.x we've centralised the setting of vars to better ensure they do not contain data they shouldn't. Ensuring parameters/variables contain the relevant type is one of the basic things you can do to reduce or eliminate injection and remote script execution problems.
As for "responsibility", sorry as I note, IMO it's very much a responsibility. If you lost your house keys would you like:
a) Whoever found them to pin them to your front door with a note saying "These keys belong to this house", or
b) Whoever found your keys to personally hand them to you and give you a chance to change the locks?
I'll go with b) By posting vulnerabilities in software into the public domain before informing the authors is the same as a) IMO
Finally, as I said, we note the names of those who inform us of vulnerabilities before releasing the info publically (we don't include the names of those who didn't bother informing us or who informed us after releasing the info). But I say again, that shouldn't be motivation for deciding whether or not to inform the software authors. Such submissions should be viewed IMO as being "I did something useful".
Don't get me wrong, we appreciate submissions to our security tracker. But I must admit to being a little disappointed in your "need for pre-conditions" ... IMO someone either wants to "help" by submitting issues or they don't. To place "pre-conditions" on it rather goes against the idea of "helping" IMHO.
My original idea for getting them wasn't for helping, I thought I could eventually just help out and give them to you, because I do have ethics and a stance of basic morality in the computer world.
I went through hell staring at the code. There's a difference from someone finding a key on mistake, or someone looking damn well hard for that key. I would happily hand over the key, I didn't think a little note would be such a big deal.
As for sloppy spelling mistakes, apparently you didn't see that I was pointing it out in your software, not my private message, but thanks.
But you're right, this is a useless waste of my time.
Sorry for my 'pre-conditions!'
Thank you for the time, detail, and other half of the picture. I thought I was being clever enough in not accusing while at the same time looking for transparency. I didn't accuse by asking what was going on or what was learned.psoTFX wrote:Indeed you don't ... so accusing us in any way, shape or form is not exactly clever now is it? Shall we review what happened? Yes, let's do that ...
dhn wrote:allanhardy wrote:In any case, the 2.0.11 doesn't mention Highlight issue?
That is the following fix:Fixed XSS vulnerability in username handling - AnthraX101
The issue was not seen as critical when it was first released. Neither the original reporter nor the developers saw the potential at the time.
fallacy wrote:psoTFX did you even have this jess person's permision to post your PRIVATE converstation?
Users browsing this forum: No registered users and 3 guests