Jump to content

While I Was Working On An Importer...

Cody

By Cody
in General

 Share

To disclose or not to disclose?  

29 members have voted

  1. 1. Should I disclose vulnerabilities to the software vendor?

    • Yes, it's the right thing to do
      18
    • Yes, even though they will pretend like it never happened
      6
    • No, the fact that these are so obvious means they don't give a crap about their software so why should you?
      3
    • No, may I please have teh exploitz?
      2

Recommended Posts

Cody Newbie

Cody

Posted
Posted

We're working on getting an importer working for a certain billing solution, so with the intent of adding data into the system I reluctantly log in. I get about two clicks in when suddenly, my pupils dilate, my palms get sweaty, and I begin to salivate uncontrolably. I've only been logged in for a few brief moments and already I've stumbled upon an exploit.


I'm thinking, "Okay, that was easy." But I've got work to do. We need to get some test data in there so we can verify the importer. Click, click... vulnerability. Click, vulnerability, click, click, vulnerability, vulnerability, vulnerability. Seriously? :blink:

 

A few hours of inputing data and I've discovered more than a dozen vulnerabilities, without looking. No doubt there are many more. They range from mildly amuzing, to "OH $*&! Restore backup!".

 

How do you think we should handle this situation?*

 

 

*Obviously we'll be disclosing these vulnerabilities to the proper channels... in due time.

xison Newbie

xison

Posted
Posted

Would you be so kind to share with us what kind of exploits? The technical people around here enjoy this kind of stuff. Perhaps not exactly what or where (or which competitor) but at least the type of exploit? SQL injections, privilege escalation, simply flawed beyond repair?

Scott Horsley Newbie

Scott Horsley

Posted
Posted

I personally think the answer is yes. It's certainly the right thing to do.. however, I would also state to them that unless they correct/acknowledge this issue (give a window of time to them), you will have no option but to inform their community of the vulnerability also. This forces them to act on the issue rather than sweeping it under the rug.

 

If you were to publicly debunk them afterwards, then you have your communications to fall back on of course.

 

As a side note, you could squeeze in some blatant advertising for Blesta while notifying their customers when it came down to that point. :)

Michael Apprentice

Michael

Posted
Posted

I wouldn't report competitors, sorry makes you better, but if someone found a Blesta (won't happen) but if it did, I'd like someone to report it to you guys. Competitors don't care about their customers why help them :).

FRH Dave Newbie

FRH Dave

Posted
Posted

I like the way Steven from Rack911 handles these.  He contacts the vendor first and gives them ample time and opportunity to fix the problem.  If the exploit is severe and the vendor's response is "meh", he'll then post about it on WHT.  He won't post the exploit steps or where the exploit resides, but he'll make everyone aware that critical vulnerabilities were uncovered, that the vendor was contacted on xx/xx/xx, and that their response was "meh".

 

In the meantime, do keep working on the import module.  Lots of us are eagerly awaiting an import module for our current billing system.

Paul Rising Star

Paul

Posted
Posted

We hope to have something for you to test pretty soon Dave.

 

We will be reporting our security finds through the proper channels, in the proper way. I can only imagine what we would find if we were performing an actual security audit, and not just stumbling around like a normal user.

 

We are extremely grateful when we are contacted privately about possible security issues in our software.

Michael Apprentice

Michael

Posted
Posted

We hope to have something for you to test pretty soon Dave.

 

We will be reporting our security finds through the proper channels, in the proper way. I can only imagine what we would find if we were performing an actual security audit, and not just stumbling around like a normal user.

 

We are extremely grateful when we are contacted privately about possible security issues in our software.

Dam it lol helping WHM** if you was finding a few exploits doing a import, what would you do if you was just browsing it all, they just are full of exploits which is why we get all these patches lol, well got for me since I don't have it from the 1st.

FRH Dave Newbie

FRH Dave

Posted
Posted

We hope to have something for you to test pretty soon Dave.

 

Good to hear!  The latest version of my current billing system broke all my product descriptions and is causing issues with some emails being sent.  I can't wait to get out of this spaghetti disaster.

Michael Apprentice

Michael

Posted
Posted

Good to hear!  The latest version of my current billing system broke all my product descriptions and is causing issues with some emails being sent.  I can't wait to get out of this spaghetti disaster.

Yeah I heard on WHT a few people have that issue.

Paul Rising Star

Paul

Posted
Posted

Good to hear!  The latest version of my current billing system broke all my product descriptions and is causing issues with some emails being sent.  I can't wait to get out of this spaghetti disaster.

 

Just attempting to populate some data into their system, we found a lot of weird bugs. I think there was one where you can add events to the calendar, but they don't appear on the calendar. Are you experiencing that one too? We checked the database and they were in there, so we know how to import them at least -- and they should then appear on the Blesta calendar.  ;)

FRH Dave Newbie

FRH Dave

Posted
Posted

Just attempting to populate some data into their system, we found a lot of weird bugs. I think there was one where you can add events to the calendar, but they don't appear on the calendar. Are you experiencing that one too? We checked the database and they were in there, so we know how to import them at least -- and they should then appear on the Blesta calendar.  ;)

 

No, the calendar is not very helpful.  Their calendar doesn't have the ability to auto-populate events (create a "3-day customer followup with user ____" entry 3 days after service is activated, etc) so I've never touched it.

  • 2 weeks later...
  • 1 month later...
Biscuit1001 Newbie

Biscuit1001

Posted
Posted

Report it ethically, and document contact; then go public if, and only if, the exploit isn't patched, AND make that clear in your public disclosure.

 

That's the way it's always been done, that's the right way to do it, and I couldn't respect anyone going about it any other way than ethically.

 

I'm here as a prospective customer/refugee-from-the-name-that-shall-not-be-mentioned... but let me say this. I won't buy anything from a company who isn't ethical and I don't respect their practices. Think about it: not doing things "the right way" is what might sink that other ship. Don't be that guy.

Michael Apprentice

Michael

Posted
Posted

We submitted a responsible disclosure document to them today, all issues we found were confirmed to still be issues in their latest release. We'll see how they handle it.

 

Probably not well, they'll leave it until they are exploited.

MemoryX2 Newbie

MemoryX2

Posted
Posted

We submitted a responsible disclosure document to them today, all issues we found were confirmed to still be issues in their latest release. We'll see how they handle it.

 

 

Probably not well, they'll leave it until they are exploited.

 

 

Does anyone wonder why we jumped ship? *hint* *hint* 

 

This seems to be happening almost weekly now... (refering to exploits, which you may not have even found I don't know but I do know their main priority is adding bugs not fixing them)

Paul Rising Star

Paul

Posted
Posted

This seems to be happening almost weekly now... (refering to exploits, which you may not have even found I don't know but I do know their main priority is adding bugs not fixing them)

 

I think people are starting to realize that it's time to move on, and we're grateful for everyone that decides to make Blesta their billing application of choice.

Daniel B Newbie

Daniel B

Posted
Posted

I think people are starting to realize that it's time to move on, and we're grateful for everyone that decides to make Blesta their billing application of choice.

 

now if only I could get the dedicated server reseller program I want to use to integrate with Blesta instead of those other people...lol

  • 2 weeks later...
Cody Newbie

Cody

Posted
  • Author
Posted

We submitted a responsible disclosure document to them today, all issues we found were confirmed to still be issues in their latest release. We'll see how they handle it.

 

Well, it's been more than 2 weeks and still no patch from them.

 

I would think, given the severity of the issues we presented to them that they would have released a patch by now. Perhaps those 34 exploits have caused too much work for them? B)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...