|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life
From: rain forest puppy (rfp
WIRETRIP.NET)Date: Mon Apr 24 2000 - 20:39:07 CDT
- Next message: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Previous message: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Next in thread: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Maybe reply: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Screw tomorrow, have it today. Diff attached. See for
yourself--differences were the incorporation of the fact that it came with
Visual Interdev 1.0, and that web authoring expanded the scope. Other
than that, it was grammatical.
> Microsoft, and WSJ was **SUBSTANTIALLY** different than the one he sent to
Substantially? Check the diff. Granted, diff produced many lines, but
much of this was due to an inclusion of a missing word/grammar, and the
differences in line wrapping.
> Bugtraq and other lists. In the interest of fairness and honesty, Attrition
> might publish that **original** advisory?
Diff included. Have fun.
> e.g. In RFP's **original** advisory, there was no mention that the scope of
> the vulnerability was limited to users with Web Author permissions. His
Right. Included an even smaller scope.
> **original** advisory claimed that you only needed to know the "backdoor
> password" and how to obfuscate it (hence all the work on a script to do
> that)...and *anyone* could access all of the .asp files on any FP site.
*anyone*? And where does it state that? Let's look at the diff of 'The
Long' section:
-73,16 +86,17
Luckily, from my auditing, this is not included with any other versions of
FrontPage (including Unix), and in the versions I found it on, ACLs
prevented its use (only System and Administrators were allowed full
-access). So it's not as widespread as, say, RDS. ;)
+access); I was told by MS that only individuals with web authoring
+permission can use it, which is more than I had originally thought. But
+it's not as widespread as, say, RDS. ;)
So I mention only System and Administrators can use it originally. Then
I added the web authoring thing.
So it was stated, and the scope was expanded.
> Minor nit? Anyone versus Web Authors? I think it was the *substance* of the
> WSJ story, if not the advisory itself.
System/Administrators, vs. System/Administrators & web authoring is the
real thing.
> The entire 2nd paragraph of his **REVISED** advisory was contrived after the
> WSJ story was locked, probably after discussions with me (when I told him
> much of what was in that 2nd paragraph) or discussions with MS.
To properly credit sources, securemicrosoft.com, WSJ, and Russ Cooper all
commented on the web authors thing. Wanted to be accurate, and it
expanding the scope of the vulnerability beyond what I initially thought,
I revised to include it. I did not take credit...note the "I was told by
MS that ...".
> After receiving analysis of his advisory (from myself and others), RFP
> **REVISED** it to present to the general public.
I did not retract anything I had said. Russ, have you seen the original,
or are you 'winging it' again without quite seeing the advisory/problem?
I don't think the rest of Russ's letter needs commenting, as it pertains
to me retracting some part of my advisory, which I had not. A few small
things tho..
> "The manager of Microsoft's security-response center, Steve Lipner,
> acknowledged the online-security risk in an interview Thursday"
>
> Sure, IMO Steve probably did acknowledge that there was an "online-security
> risk" based on RFP's claims. Did he "confirm" it? Nope! Did he say
> "Everything RFP has claimed is true!" Nope! Yet others re-wrote that section
> of Ted's story to say that MS had "confirmed it."
Well, we can't exactly ask Lipner what he said, since his story is now
different. Ted? Have it on tape? Oh, and Russ,..
"IMO Steve probably did acknowledge..."
There you go again...did you hear what Steve said, or are you providing
your 'professional' opinion? Is that what got you into trouble in the
first place?
It seems reporting needs to boil down to 'yes/no' questions, just so
everyone is on the same page.
- rfp
- TEXT/PLAIN attachment: stored
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Previous message: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Next in thread: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Maybe reply: rain forest puppy: "Re: RFP2K03: Contemplations on dvwssr.dll and its affects on life"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]