Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 23 Oct 2012 22:13:34 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Matthieu Aubry <matthieu.aubry@...il.com>
CC: oss-security@...ts.openwall.com,
        Hanno Böck
 <hanno@...eck.de>
Subject: Re: CVE request: XSS in piwik before 1.9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/23/2012 04:12 PM, Matthieu Aubry wrote:
> 
> 
> I hate to break it to you but I did a quick file diff and the XSS 
> stuff is pretty easy to spot. Any attacker who wants to find the 
> vulnerability will, quickly. Not giving out information really
> only harms the people that actually benefit from knowing (e.g. your
> users and vendors, it's just one more thing to figure out).\
> 
> 
> We know and understand how diff work, remember that we are building
> a major open source software? So yes we are fully aware how easy it
> is to find XSS by doing a diff...
> 
> We disagree that giving out exploits and more info about the hacks,
> will help security and our users : it will NOT. Supporting
> researchers to find security bugs in open source projects, however
> has helped us a lot: http://piwik.org/security/

I never said anything about giving out exploits.

I simply pointed out that trying to hide details of an issue is only
going to annoy legitimate users/vendors and does not to actually
protect against attackers who also know how to use diff. Transparency
in the security process is important, it helps build trust, and it
helps users/vendors deal with the issues more quickly and efficiently.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQh2ruAAoJEBYNRVNeJnmT2IEQAIzp9Uiuof1Uj2bgxZEZQHPU
bdNIvCvmuOR4r9GLdOb2ok1NXIdK1yNI6Hm8g13pE4cfS/m8JJw12gKlUXFn0DxM
CcMYH+x97yNP2DJbbXWxNUT26E556WDlu5zZhV/wxfDEJtRyYiHt/eSfsO4pS/fF
BEhb0wZZhghNN0vvUVmsnrQPpX5y32ObJIQ6K1WdkEwA3g/c5+U31krhJvoI//q0
JNiprR35Ywvk+J5j1ZfA6EaLow+VnqVDuwyAl3KxLe5hyxcwvjSepddulFzrYxU9
8a1cN6EZb6YSM+5UHcPnOC/upky/32dMfHRkZrJxT14hV7rHMvkAYvxhgtPCeKyR
K71l3lCFJa2hy0P0DDoFjbYi6HwQkZbfmz3owADKCuwIc7OUdD4I2NXiAKH1st3y
zVX8GuTk2yaRBxKVKEb5A8x+Ke9rSSbAo4ys+IhYToToWk7Mdlmuifniq2QahLNB
pOhXNzMzfKKlgW5CxwFv6UnKiekvb3UYD6a7UeQ26aWMKuZlOT1ui4ipM2Ox1U1l
9Kv0OR3AlZslG3jaHTPPOIIF45VU8K+p9p1rGbvZOUurnfkrhuKXUqUDqDQG/YN8
Bn7fb09iNEM3S4tut+71JRleT96nmx9DUH5cYm7cTgLPzcC98AW0/wUK/Sn/5WRJ
xiAyZYYPtHTgvebejEe+
=1HLT
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.