[FD] Cisco AsyncOS Cross-Site Scripting Vulnerability CVE-2014-3289
I. VULNERABILITY - Reflected XSS Attacks vulnerabilities in Cisco Ironport Email Security Virtual Appliance Version: 8.0.0-671 II. BACKGROUND - Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, that designs, manufactures, and sells networking equipment. III. DESCRIPTION - Has been detected a Reflected XSS vulnerability in Cisco Ironport Email Security Virtual appliance. The code injection is done through the parameter date_range in the page “ /monitor/reports/overview?printable=Falsedate_range” IV. PROOF OF CONCEPT - The application does not validate the parameter “date_range” correctly. https://ip_cisco_web_security/monitor/reports/overview?printabl e=Falsedate_range=scriptalert(2)/script V. BUSINESS IMPACT - An attacker can execute arbitrary HTML or script code in a targeted user's browser, , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser. VI. SYSTEMS AFFECTED - Reflected XSS Attacks vulnerabilities in Cisco Ironport Email Security Virtual Appliance Version: 8.0.0-671. VII. SOLUTION - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3289 By William Costa william.co...@gmail.com ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
On Sun, Jun 8, 2014 at 4:03 AM, Paul Vixie p...@redbarn.org wrote: ... i am not a lawyer either. i started MAPS, the first anti-spam company, in 1997 or so, and became the most-sued person i know. i may be the most-sued person you'll ever know. you have had interesting experiences! how many of these lawsuits have been dropped before heading to trial? (numbers or percentages?) how many legal motions went back and forth before trial in various motions or other tactics? how many plaintiffs were multiple offenders, or behind multiple legal filings against you in multiple venues? how any of these lawsuits encountered procedural or judicial complications by nature of being technical in nature? (and if you're answered these elsewhere please forgive and point in the right direction :) best regards, ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Responsible disclosure: terms and conditions
Should also point out that getting EO insurance is a good idea. Daniel On Jun 8, 2014, at 1:34 PM, Dave Warren da...@hireahit.com wrote: On 2014-06-08 04:03, Paul Vixie wrote: this is concerning, for two reasons. first, for enforceability, a contract requires exchange of consideration. what's yours? i can see that the vendor is receiving something of value (the disclosure) but it's not clear what you're getting in return beyond the opportunity to have your good deeds go unpunished. absence of a negative does not amount to a positive in the eyes of the law. Indemnity is definitely consideration. I'm not sure that 1- You will not attempt to threaten or prosecute the researcher in any jurisdiction. is sufficient though, but something similar in appropriate legalese would possibly do the trick. There also needs to be an enforcement or penalty clause that is mutually agreeable (and this is probably where most companies will start to wonder if agreeing is worthwhile). A contact without an enforcement clause is mostly useless since a violation will, at most, allow the opposing party to disregard the contract. This works great in a I will mow your lawn as needed for $80/week contract, in which case in the event of a breach, the other party would stop complying with their terms. In this case, the vendor has on ongoing obligation to not sue, whereas the researcher has completed their portion as soon as they reveal the information to the company (or as soon as they complete a defined responsible disclosure period). If the company chooses to pursue legal action against the researcher, the researcher has no remedy in the contract. At a minimum, agreeing to limit damages in the event of any and all legal actions resulting from researching and disclosing the vulnerability would be a start. Still, I like the idea, especially if it's something that a reasonable number of researchers use. -- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
