Quoting Steve Kemp <steve_at_shellcode.org>:
> I'm curious what reaction others have gotten from reporting problems?
> I know some people will downplay even the most obviously critical holes,
> and others will bend over backwards to fix a completely obscure and
> unlikely hole - so it's probably only normal to expect a lot of
> variation ..
Depends on the individuals, yeah.
When talking about obscure and unlikely vulns, here is a Debian advisory from
elder days with the same type of GECOS bug that I just found in xshisen:
http://www.debian.org/security/1997/19970220.en.html
I used to audit lots of web applications a few years ago, and I remember that
Albrecht from PHProjekt got really angry when I posted this:
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2002-04/0362.html
He had tried to cover up some of the issues by patching them but not including
them in the ChangeLog!
Sometimes when you audit web applications, the developers have never heard terms
like Cross-site Scripting and SQL Injection before, so you might have to explain
stuff to them. All C programmers have at least heard of buffer overflows.
-- Ulf Harnhammar http://www.advogato.org/person/metaur/Received on Sun Jan 16 2005 - 19:26:48 GMT