[Full-Disclosure] Explanations about the NASA security issues and confused people
qobaiashi at gmx.net
Sat Oct 25 16:28:35 BST 2003
Am Samstag, 25. Oktober 2003 00:44 schrieb Lorenzo Hernandez Garcia-Hierro:
> Hi all,
> Some people is a little confused with the NASA related security
> issues and my advisory,
> so i'm explaining the confusing things:
> 1.- Every time NASA staff was knowing what i was doing , i sent
> messages to administrators before doing anything.
> 2.- John R. Ray of the NASA Competency Center ( Information
> Technologies Security ) contacted me for solve the issues.
> 3.- The report was completely closed to public access when the
> systems were vulnerable
> 4.- I provided an accesscode to see the advisory for the NASA staff.
> 5.- I was everytime testing the vulnerabilities and when i found that
> the most important were patched i make public with some restrictions
> the advisory.
> 6.- Of course , i wrote a disclaimer that can be found in the main
> web site and http://advisories.nsrg-security.com/disclaimer.txt
> 7.- A mail log that has all the exchanged mail between NASA staff and
> me ( and action log too with dates and details ) is available at:
> So ,please , be careful saying that i made it public without
> contacting before the NASA staff.
pretty cool, man!
> 8.- In the report there is no private information about NASA nor
> working exploits against important security holes like sql
> 9.- ScreenShots are modified for remove private url addresses ( like
> www.nasa.gov portal admin access )
> 10.- Some people was saying that i wanted fame doing it , definately
> not , i made it for demostrate that web security is a real problem
> and a thing that must be included in security policies of the
now i see it's not about fame. naming "NASA" +10 times is just to sound...erm
> The next generation of hackers will can make damage against servers
> with the only help of a web navigator, the web browser will be a
> really dangerous hacking tool, and it is not the future , it is now ,
> just see last advisories about phpnuke , etc
yeah that's realy interesting!
i've just started writing my new 0day browser with neat phpnuke sploiting
> 11.- The communication between NASA staff and me was completely clear
> except that i didn't received response after i sent a message
> confirmand that the report was finished an they had the access code
> to see it.
> It was a completely clear job between NASA staff and me , they were
> really fast patching ( one day ) and really fast replying my first
> The important thing is that NASA staff knows now wich risk has web
> applications security and how to solve web application securiuty
and thanks for letting all of us know what you've done!
> Everything in this life has a final mean , in this case : web
> security must be treated as other security issues , if not , you are
> in risk
> How much times i must rewrite this mail ?
> Best regards and thanks to all members of Ful-Disclosure,
Full-Disclosure is hosted and sponsored by Secunia.