Register a free account

ne nw
Crawlability Inc. Files for SEO Technology Patent
se sw

Go Back   Forum Index > Internet > Security Alerts and vulnerabilities
Reload this Page Invalid Reports
The Software Store
Register Members List Social Groups Calendar Search Today's Posts Mark Forums Read FAQ

Security Alerts and vulnerabilities Lets keep abreast on the latest threats by posting those findings here..

Reply
 
Thread Tools Display Modes
  #1  
Old 10-25-2006, 11:02 AM
Symantec's Avatar
Symantec Symantec is offline
Senior Member
  
Join Date: Oct 2006
Posts: 300
Invalid Reports
Invalid Reports
<p>This year has seen a mass influx of reports on remote file-include vulnerabilities. On the same note, it has also seen a mass number of <em>invalid</em> vulnerability reports. The trend, it seems, is for reporters to grep as much source code as possible, looking for that special phrase: include($variable). However, the reporters either neglect to read the entire source prior to that line, or perhaps choose to ignore it. As is often the case for false reports, within five lines of the include() call is a declaration for the very variable assumed to be vulnerable.</p>

<p>This naturally makes my job all the more complicated. Our team prides itself on having the most comprehensive vulnerability database available. We also want to make sure it’s accurate and doesn’t contain invalid entries. We try to verify all the issues reported to us, usually by inspecting the source code, but it is frustrating to spend time scrutinizing reports on “issues” that are clearly not vulnerable. This, in turn, means that we must now maintain a list of reports of invalid issues. We must then check that list every time an issue is reported to weed out the obvious invalid reports, and then repeat the cycle with another source inspection.</p>

<p>The real question remains: Are those that report these issues in such a hurry that they neglect to ensure their validity? Or, are the reporters in such a rush to have their five minutes of fame, eventually risking the loss of a lot of their credibility (and even facing ridicule from their peers) when the false report is discovered?</p>

<p>Our customers can rest assured that the issues we report have gone through the scrutiny required. They can also know that if we don’t report on an Issue—even if our competitors may provide a report on it—then it’s likely not a valid issue because it’s based on an invalid report.</p>
http://www.symantec.com/enterprise/security_response/weblog/2006/10/invalid_reports.html
http://www.symantec.com/enterprise/security_response/weblog/2006/10/invalid_reports.html
Wed, 25 Oct 2006 07:00:00 -0800
Reply With Quote
Sponsored Links

Reply

Bookmarks

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -5. The time now is 01:16 AM.

Contact Us - CyberAnswers - Archive - Privacy Statement - Top

234x60
Bulletin Board Custom Version by Mobo
Copyright 2004-2007 Cyberanswers.org All rights reserved