Home Forums SQL Server 7,2000 Security PetCo.com Vulnerable to SQL Injection RE: PetCo.com Vulnerable to SQL Injection

  • July 3, 2003 at 7:39 am

    #464049

    quote:

    I'm not sure we can expect all software companies to adhere voluntarily to such high standards -- especially when doing so will cost them (in the short term at least). There needs to be a foil. I suppose that CERT/Bugtraq may fulfil this role (I'm not familiar with them beyond knowing of their existence and having read a bulletin or two).

    CERT is getting nailed by the white hat community. They are getting info on vulnerabilities and then are turning around and providing them to paying customers ahead of everyone else. CERT was supposed to be a clearinghouse where everyone was treated the same. They aren't doing that. That's why there have been a couple of security breaches in the last couple of months where individuals went and found information about vulnerabilities CERT was keeping close but not revealing to the general public.

    quote:

    Steve suggests letting the press handle disclosure -- fair enough, and pragmatic -- but why should someone be scared into handing over their discovery to a third party? If it's a technical issue, why does it have to be treated as a public relations issue, and will this really get the best fix?

    Well, look at all the bad press Microsoft got for the macro viruses, especially the Outlook ones. They added that additional feature because of a demand for more flexibility. So naturally there is going to be some gamesmanship back since so many people are looking for a cause to rail against.

    With that said, I think the vendor should be contacted first. They should in good faith keep the researcher informed that they are working on the issue. If they don't, then the researcher has a conscience problem. He or she knows there is a vulnerability. Someone else could find it. If the vendor isn't willing to act on the vulnerability, that means the vendor is willing to leave people exposed. If you stay quiet, you are party to that.

    quote:

    And, showing my hubris again, why *shouldn't* the finder get proper acknowledgment for their work?

    Microsoft now practices this, but for a while they didn't. For some, I guess, it's an image thing. You want it to look like your own people are good enough to find the issues before anyone else, thus you are the conquering hero. We know it's bunk, but...

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley