Exploit for ca$h
September 28th, 2005 by ido, Filed under: Full Disclosure
An exploit that I can not give you exists for Mozilla (Gecko) based web browsers, and I also tested it on KDE’s Konqueror to find out that the problem exists there as well…
The bug was found by Georgi Guninski. For those who don’t know him, he is almost a “bug hunter for hire”.
So why can’t I give you the exploit ?
Well Mr. Guninski wrote the following in his Exploit:
Cannot be used in vulnerability databases
Especially securityfocus/mitre/cve/cert
And when we (SecuriTeam) sent him a private email about it, he told the entire world:
no.
you don’t have my permission.
try buying a licence with ca$h.
BTW If you really wish to see the Exploit, you can visit bugzilla
So I have one question, what ever happened to the idea of full disclosure?! I believe in it, and I saw how good it does for many products, that only when exploits and advisories came out, the vendor actually fixed the problems …
-
Is your site safe from XSS Attacks? Sig nup for Beyond Security Vulnerability Scanner today!
Subscribe
Subscribe
I came across this same bug on a security archive (I don’t have the link at hand) and read that same comment. I didn’t think much of it at the time.
In one sense it could be used to centralise the debate, if their system allows users to comment on the submissions. But as was already pointed out it can mean that the vendor never finds out.
I suppose someone should ask Georgi exactly why he is so particular. Still, most people tend to disclose information properly.
I don’t think he can put a license on the bug. He can only put a license on the text of the advisory.
In other words, there is nothing stopping you from describing the bug in your own words and posting it to the securiteam archive.
Shachar