Liegt bestimmt an der Firewall

Tuesday, March 20. 2007

Liegt bestimmt an der Firewall

Folgende Nachricht schrieb ich an den Support von Napster (das ist dieser DRM-Shop, hervorgegangen aus dem Label eines längst vergessenen Projekts):
Die Suche auf napster.de ist anfällig für eine Cross Site Scripting Attacke:
http://www.napster.de/search_music.html?op=search&artist_name="><script>alert(1)</script>

Folgende, überaus kompetente Antwort erhielt ich:
Diese Meldung erscheint, wenn Sie ein Anti-Virus Programm oder die Firewall aktiviert haben. Bitte, erlauben Sie Napster in dem betreffenden Programm.
Posted by Hanno Böck in Code, Computer culture, Security, Webdesign at 22:47 | Comments (5) | Trackbacks (0)
Defined tags for this entry: , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

Didn't you say you practice responsible disclosure ?
#1 Matz on 2007-03-20 23:19 (Reply)
Well, first I wanted to note that I said I »usually« practice responsible disclosure.
Beside that, they have been informed before. So imho all requirements for responsible disclosure are met. It's not my fault if they're too stupid to understand the issue.
#1.1 Hanno (Homepage) on 2007-03-20 23:39 (Reply)
I think you can't expect the costumer support to know what a Cross Site Scripting Attack is. I think you should explain it to them and tell them to forward the message to someone who is responsible for the security.
#1.1.1 Matz on 2007-03-21 22:20 (Reply)
I'm a really a fan of responsible disclosure, but there are some borders. If someone proves to be too stupid to unterstand what the problem you can just publish it. I recommend Hanno to just blog after the first response. It is just not worth, spending more work on it. Just remember the story of Chris Shiflet and Amazon. He waited one year and nothing has been done on a really, really big hole.
You can insist, that one day is too less. I would be completely with you. Normally you should grant a much bigger period. But only if you can expect, someone will work on it. In the Napster case, you just can't.
#1.2 Lars Strojny (Homepage) on 2007-03-21 21:27 (Reply)
Die Email scheint wohl bei der Kundenberatung gelandet zu sein. ;-)
#2 Stefan Horning (Homepage) on 2007-03-21 16:57 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

About me

You can find my web page with links to my work as a journalist at https://hboeck.de/.

You may also find my newsletter about climate change and decarbonization technologies interesting.

Hanno Böck
mail: hanno@hboeck.de

Hanno on Mastodon

Impressum

schokokeks.org

Creative Commons

CC0
Unless noted otherwise, all content is CC Zero / public domain

Show tagged entries

Frontpage
Datenschutz / Privacy