Cenzic 232 Patent
Paid Advertising
web application security lab

Full Disclosure Forums Fallout

Well, it’s probably time that I posted this, although I’m pretty sure the end is nowhere in sight - but it’s probably worth a status update. The web application security forums were only built a month or so ago and they are already on fire. Not just because there are a lot of vulnerabilities being posted in the “Full Disclosure” section, but because of the drama that ensued with two security companies, F5 and Acunetix. Maybe I should start from the top.

This morning I was doing my morning ritual with my lovely girlfriend. We just got this very cool chair called a Sumo Lounge that’s sorta like a big bean bag chair only way more art-deco and way more comfortable (check the website if you need a hacker chair - it’s seriously our most comfortable peice of furniture). Anyway, my girlfriend was sitting in the Sumo Lounge asking me about what’s been going down over the last few days. More or less I think she was concerned that what has been happening is either illegal or otherwise bad. I’m no lawyer, but Jeremiah Grossman did a wonderful writeup on why it shouldn’t be illegal. To paraphrase him yes, it’s probably illegal in certain countries, but here it’s an open issue.

So anyway, in relative comfort I can move onto the drama. F5 and Acunetix both were found to have XSS/HTML injection vulnerabilities in them. Not a big deal except it’s a slap in the face to have security issues if you are a security company. Around this time we get slashdotted and written up in a number of articles [here] and [here]. Then the snowball effect of the group takes over and the group finds their way onto tons of different news sites, including theirs.

This all probably would have died down, but then F5 and Acunetix deny that they were vulnerable. Bad move. First of all they WERE vulnerable, secondly, the members of the forum immediately found more vulnerabilities in the two security companies websites. This time with screenshots. Ouch. There’s a pretty amusing writeup at NOT4H4×0r’s blog about the whole thing.

Wow… Anyway, as I regail my girlfriend about the tail and she is sitting in the Sumo Lounge I think she’s too comfortable because no non-technical person can listen to anyone nerding out that much without getting bored. So two conclusions: 1) this is a bigger problem than anyone realized, if even only for public relations reasons and 2) the Sumo Lounge stays.

6 Responses to “Full Disclosure Forums Fallout”

  1. Kyran Says:

    Oh my. Time to make a purchase.

  2. WhiteAcid Says:

    Damnit. I knew I should have read this place first, I myself wrote a blog entry about this at http://blogs.securiteam.com/index.php/archives/649

  3. SecuriTeam Blogs » Acutenix denying web site flaws Says:

    […] Here endeth my rant, but not the story which is also written about by RSnake and N074H4×0r. […]

  4. David Kierznowski Says:

    hehe.. ouch! :)

  5. Eric Farraro Says:

    Great post! I haven’t posted here before, but I have been reading this blog pretty regularly after seeing my Google exploit featured on here.

    I actually just found the forum today, and was not too surprised at the number of XSS exploits found. I’m still quite amateur when it comes to finding such exploits, but I think it’s great that the issue (of XSS attacks and new attack vectors) is getting more publicity. All of these sites should be incredibly thankful that they were featured in your forums, and not in an actual scam.

    The fact that the sites in question were security related is very ironic!

  6. AltaGid Says:

    Hello! Help solve the problem.
    Very often try to enter the forum, but says that the password is not correct.
    Regrettably use of remembering. Give like to be?
    Thank you!