Overview
To better understand the risks in the technologies used to store and process information, Corsaire dedicates time and effort to a continuous research program. As part of this, we take established and emerging technologies, and analyse them to see if they work as they are intended.
If an issue is identified in a product, we draft an 'advisory' outlining what we have found, then contact the vendor and pass over all the information necessary for them to replicate the environment. It is then up to the vendor to provide a permanent solution to the issue (such as a software patch), and to make it available to their customers in a timely fashion.
Once a solution is available, we then pass the advisory first to our clients (to give them some advanced warning of what is coming), and then it is released into the public domain a few days later.
Unreleased
Sometimes a vendor may not be forthcoming in addressing an issue. To motivate them we publish a list of the more interesting unreleased issues here. We don't believe in setting arbitrary limits upon how quickly a vendor should respond, but as a yard-stick the most responsive vendors take around 30-days to investigate, develop, test and release a solution. The typical resolution takes between 60 and 90-days, so anything over this is slow.
If you are a customer of a vendor listed here, and you believe that they are not responding as quickly as you would like, then we would encourage you to get in touch with them and express your dissatisfaction.
Corsaire Advisory c080107-001
Vendor: Multiple
Product: Linux services
Severity: Moderate (DoS)
Reported: Jan 8, 2008 (180 days ago)
Status: In discussion; no update.
Released
Listed below are the advisories that have already been released into the public domain. The usual process for this is to submit them to public mailing lists, like bugtraq and vulnwatch, and the usual CIRT teams.
| Jan 08, 2008 | Sun J2RE DoS issue |
| Jul 20, 2007 | Citrix Access Gateway session ID disclosure issue |
| Jan 12, 2007 | ChainKey Java Code Protection Bypass issue |
| Jul 31, 2006 | VMware ESX Server Password Cross Site Request Forgery issue |
| Jul 31, 2006 | VMware ESX Server Password Disclosure in Log issue |
| Jul 31, 2006 | VMware ESX Server Password Disclosure in Cookie issue |
| Jun 1, 2006 | VMware ESX Server Cross Site Scripting issue |
| Aug 16, 2005 | HP Ignite-UX passwd file disclosure issue |
| Aug 16, 2005 | HP Ignite-UX filesystem permissions issue |
| Jul 25, 2005 | SAP Internet Graphics Server traversal issue |
| Jul 8, 2005 | Tivoli Management Framework Endpoint DoS issue |
| Jun 28, 2005 | Ipswitch WhatsUp SQL Injection issue |
| Feb 28, 2005 | Mitel 3300 ICP web interface DoS issue |
| Feb 28, 2005 | Mitel 3300 ICP web interface session hijacking issue |
| Nov 19, 2004 | Netopia Timbuktu remote buffer overflow issue |
| Nov 19, 2004 | Danware NetOp Host multiple information disclosure issues |
| Sep 17, 2004 | Business Objects WebIntelligence arbitrary document deletion issue |
| Sep 17, 2004 | Business Objects WebIntelligence XSS issue |
| Sep 13, 2004 | Multiple vendor MIME field multiple occurrence issue |
| Sep 13, 2004 | Multiple vendor MIME field whitespace issue |
| Sep 13, 2004 | Multiple vendor MIME field quoting issue |
| Sep 13, 2004 | Multiple vendor MIME Content-Transfer-Encoding mechanism issue |
| Sep 13, 2004 | Multiple vendor MIME separator issue |
| Sep 13, 2004 | Multiple vendor MIME RFC2047 encoding issue |
| Sep 13, 2004 | Multiple vendor MIME RFC2231 encoding issue |
| Sep 13, 2004 | Multiple vendor MIME RFC822 comment issue |
| Aug 13, 2004 | Clearswift MAILsweeper multiple encoding/compression issues |
| Aug 10, 2004 | Sygate Enforcer discovery packet DoS issue |
| Aug 10, 2004 | Sygate Secure Enterprise replay issue |
| Aug 10, 2004 | Sygate Enforcer unauthenticated broadcast issue |
| Aug 10, 2004 | Port80 Software ServerMask inconsistencies |
| May 5, 2004 | Verity Ultraseek path disclosure issue |
| Mar 10, 2004 | Multiple vendor HTTP user agent cookie path traversal issue |
| Nov 12, 2003 | PeopleSoft PeopleBooks Search CGI multiple argument issues |
| Nov 12, 2003 | PeopleSoft IScript XSS issue |
| Nov 12, 2003 | PeopleSoft Gateway Administration servlet path disclosure issue |
| Oct 31, 2003 | BEA Tuxedo Administration CGI multiple argument issues |
| Oct 31, 2003 | BEA WebLogic example InteractiveQuery.jsp XSS issue |
| Mar 26, 2003 | Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue |
| Mar 6, 2003 | Clearswift MAILsweeper MIME attachment evasion issue |
| Feb 21, 2002 | Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SNMP |
| Feb 21, 2002 | Symantec Enterprise Firewall (SEF) SMTP proxy inconsistencies |
| May 9, 2001 | Symantec/Axent NetProwler 3.5.x database configuration |
| May 9, 2001 | Symantec/Axent NetProwler 3.5.x password restrictions |
| Mar 1, 2001 | Microsoft Outlook 2000 vCard Buffer Overrun (additional information) |
