Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
A little bit of the opposite... a vendor with a security vuln
Date: May 13, 2008 09:23PM

Earlier today I discovered a security hole in an application I've been working on. As far as I know, no one knows about this hole but me.

Obviously, I need to make a new release, and I need to tell users that this is a security release. However, how much of the details of the hole should I release with the announcement?

Some extra info: The commit that fixed the immediate security hole also patched up a longstanding missing feature (the two were inextricably linked), so it would be more difficult than usual for an attacker to look at the diff and guess what the vulnerability was. This is an open-source project.

HTML Purifier - Standards Compliant HTML filtering



Edited 1 time(s). Last edit at 05/13/2008 09:23PM by Ambush Commander.

Options: ReplyQuote
Re: A little bit of the opposite... a vendor with a security vuln
Date: May 14, 2008 08:09AM

I've read several documents stating how to approach this situation, and citing different methods, but cannot remember any verbatim. Since no physical breaches have yet to be reported as a result of this vulnerability, and because it is apparently unknown to anyone other than yourself the best bet is to follow the lead of other companies and projects, and state in your announcement that the update increases the functionality, and addresses a possible security issue. I don't believe you must divulge any further information on the subject to your clients/users as at this moment in time it does not appear necessary given such issues have not been exploited.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: A little bit of the opposite... a vendor with a security vuln
Posted by: thrill
Date: May 14, 2008 11:39AM

@Ambush Commander - I agree with Awesome AnDrEw. The vulnerability was not reported to you by an outsider, rather you discovered it's existence yourself. There is no need to disclose what the vulnerability is since doing so might actually cause harm to some of your users.

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: A little bit of the opposite... a vendor with a security vuln
Posted by: Malkav
Date: May 18, 2008 12:48PM

i second andrew and thrill on this one, albeit i'll specifically mark this update as important, even if you do not disclose the vulnerability details. people tend to have a quite simple politic on updating production : 1 : security update ASAP, functionnality updates "when we have time" (ie : more often than not, never)
making this fix a simple "functionnality enhancement" risk delaying the fix. and whereas ambush is the only one to report it, the 0day market may (or may not) be aware of this vuln. i'll ask around

----------------------------------------------------------------------------------------------------------------

Those that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
--Benjamin Franklin

Options: ReplyQuote
Re: A little bit of the opposite... a vendor with a security vuln
Date: May 18, 2008 02:00PM

Thank you for your comments. I was half-expecting calls for full disclosure, so this is good.

In the interest of disclosure, and also because it's out now, this security vulnerability pertains to HTML Purifier. It's actually the very first one in the core in the projects' entire history. :-O (there was one other one, but it was in a auxiliary file).

I hope that 0day market isn't aware of the exploit. :-/ But you never know...

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: A little bit of the opposite... a vendor with a security vuln
Date: May 18, 2008 07:40PM

Quote

pertains to HTML Purifier.
I kind of figured as much :-$.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote


Sorry, only registered users may post in this forum.