[Full-disclosure] On the vulnerabilities of web services
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Tue Jul 24 10:59:40 BST 2007
I have no time to write a detailed post on the issues related with the
guys that are recently releasing bugs of web services.
I would like someone analyze the implications, differences in terms of
community advantages, people risks, technology enhancements related with
the disclosure of vulnerabilities of web services (misc websites of
railways, internet providers, public agencies, search engines and
webmails) VS the disclosure of vulnerabilities in standalone pieces of
software.
I don't like the public disclosure of XSSs and SQL Injections (and stuff
like that) on third party web sites, i don't consider it useful for
anyone, too risky for the 'researcher' and too risky for the third party
websites.
Only in July there was a storm of fucking websites vulnerabilities
announcements:
- http://seclists.org/fulldisclosure/2007/Jul/0457.html TRENITALIA.COM
- http://seclists.org/fulldisclosure/2007/Jul/0460.html STATCOUNTER.COM
- http://seclists.org/fulldisclosure/2007/Jul/0437.html ACTUAL TESTS
- http://seclists.org/fulldisclosure/2007/Jul/0296.html ORKUT
- http://seclists.org/fulldisclosure/2007/Jul/0187.html Wachovia Bank
- http://seclists.org/fulldisclosure/2007/Jul/0035.html blinzzard.com
- http://seclists.org/fulldisclosure/2007/Jul/0036.html WORLDOFWARCRAFT.COM
Hey guys, do you feel yourself cooler than before, now?
-naif
Full-Disclosure is hosted and sponsored by Secunia.