Search

About me

Johannes (Hanno) Böck
mail: hanno@hboeck.de
jabber: hanno@hboeck.de
gpg: BBB51E42
ssh: RSA, ECDSA


Hanno on Twitter
Hanno on identi.ca

Impressum

schokokeks.org



Atheist

Twitter/identi.ca

hanno: geh jetzt los zum #linuxtag

hanno: @_tillwe_ in schwierigen fällen und falls wichtig: altes windows + altes office organisieren und in virtueller maschine installieren

hanno: @_tillwe_ erstmal alternativsoftware probieren - libre/openoffice, gnumeric, calligra - irgendeins wird vermutlich einen importfilter haben

hanno: RT @moglimoglimogli: Was für eine Gesellschaft ist das, in der ein Vorhängeschloss !!! (an einer Brücke) ein Symbol für #Liebe ist ? #sperr…

hanno: Falls ihr noch an Clicktivism glaubt könntet ihr hier die Petition für Netzneutralität unterstützen http://t.co/NfcNlcFKz4

Anzeigen

Events

22.05 - 25.05 - Linuxtag
30.05 - 02.06 - GPN13 (7 Days)
04.07 - 07.07 - PQCrypto (42 Days)
05.07 - 07.07 - SIGINT (43 Days)
31.07 - 04.08 - OHM13 (69 Days)
01.10 - 02.10 - Open Access Tage (131 Days)
My pages
Picture gallery

Archives

Categories



All categories

Feeds

Tags

Creative Commons

CC0
Unless noted otherwise, all content is CC Zero / public domain

Liegt bestimmt an der Firewall

Tuesday, March 20. 2007, 22:47
Folgende Nachricht schrieb ich an den Support von Napster (das ist dieser DRM-Shop, hervorgegangen aus dem Label eines längst vergessenen Projekts):
Die Suche auf napster.de ist anfällig für eine Cross Site Scripting Attacke:
http://www.napster.de/search_music.html?op=search&artist_name="><script>alert(1)</script>

Folgende, überaus kompetente Antwort erhielt ich:
Diese Meldung erscheint, wenn Sie ein Anti-Virus Programm oder die Firewall aktiviert haben. Bitte, erlauben Sie Napster in dem betreffenden Programm.
Code, Computer culture, Security, Webdesign | Comments (5) | Trackbacks (0)
Defined tags for this entry: , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Didn't you say you practice responsible disclosure ?
#1 Matz on 2007-03-20 23:19
Well, first I wanted to note that I said I »usually« practice responsible disclosure.
Beside that, they have been informed before. So imho all requirements for responsible disclosure are met. It's not my fault if they're too stupid to understand the issue.
#1.1 Hanno (Link) on 2007-03-20 23:39
I think you can't expect the costumer support to know what a Cross Site Scripting Attack is. I think you should explain it to them and tell them to forward the message to someone who is responsible for the security.
#1.1.1 Matz on 2007-03-21 22:20
I'm a really a fan of responsible disclosure, but there are some borders. If someone proves to be too stupid to unterstand what the problem you can just publish it. I recommend Hanno to just blog after the first response. It is just not worth, spending more work on it. Just remember the story of Chris Shiflet and Amazon. He waited one year and nothing has been done on a really, really big hole.
You can insist, that one day is too less. I would be completely with you. Normally you should grant a much bigger period. But only if you can expect, someone will work on it. In the Napster case, you just can't.
#1.2 Lars Strojny (Link) on 2007-03-21 21:27
Die Email scheint wohl bei der Kundenberatung gelandet zu sein. ;-)
#2 Stefan Horning (Link) on 2007-03-21 16:57

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.