Comments on: Two SiteMinder Flaws and Painful Disclosure http://i8jesus.com/?p=55 because arshan's too cheap to license OneNote Wed, 01 Sep 2010 06:10:02 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Amruta http://i8jesus.com/?p=55&cpage=1#comment-35104 Amruta Wed, 01 Sep 2010 06:10:02 +0000 http://i8jesus.com/?p=55#comment-35104 Hey Arshan, First, the way you have explained is fantastic! Second and may be I am too late, but I was browsing for XSS vulnerabilities in Siteminder to snap back some foolish souls who say "We have Siteminder and hence no XSS", when I came across your blog. Further search also shows that both NIST and NVD is making a note of your blog for these vulnerabilities: http://www.sans.org/newsletters/risk/display.php?v=8&i=35 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2704. But ya, CA Sucks Big Time! Hey Arshan,

First, the way you have explained is fantastic! Second and may be I am too late, but I was browsing for XSS vulnerabilities in Siteminder to snap back some foolish souls who say “We have Siteminder and hence no XSS”, when I came across your blog. Further search also shows that both NIST and NVD is making a note of your blog for these vulnerabilities: http://www.sans.org/newsletters/risk/display.php?v=8&i=35 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2704.
But ya, CA Sucks Big Time!

]]> By: Giorgio Fedon http://i8jesus.com/?p=55&cpage=1#comment-33061 Giorgio Fedon Tue, 29 Jun 2010 07:59:10 +0000 http://i8jesus.com/?p=55#comment-33061 Hi Arshan, we also discovered the following issue on Siteminder policy editor. As you can see CA does not plan to fix it... http://blog.mindedsecurity.com/2010/06/ca-siteminder-oneview-monitor-remote.html Hi Arshan,

we also discovered the following issue on Siteminder policy editor. As you can see CA does not plan to fix it…

http://blog.mindedsecurity.com/2010/06/ca-siteminder-oneview-monitor-remote.html

]]> By: Juan Carlos Calderon http://i8jesus.com/?p=55&cpage=1#comment-21854 Juan Carlos Calderon Wed, 16 Sep 2009 18:10:10 +0000 http://i8jesus.com/?p=55#comment-21854 I guess next time you could try CERT to handle the all hassle for you. I guess next time you could try CERT to handle the all hassle for you.

]]> By: Anton Chuvakin http://i8jesus.com/?p=55&cpage=1#comment-16056 Anton Chuvakin Fri, 10 Jul 2009 19:03:24 +0000 http://i8jesus.com/?p=55#comment-16056 It was in Info Security Magazine a few years ago; don't remember the year. It was in Info Security Magazine a few years ago; don’t remember the year.

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=55&cpage=1#comment-15914 arshan dabirsiaghi Thu, 09 Jul 2009 17:29:53 +0000 http://i8jesus.com/?p=55#comment-15914 haha - who called them that? url plz! haha – who called them that? url plz!

]]> By: Anton Chuvakin http://i8jesus.com/?p=55&cpage=1#comment-15833 Anton Chuvakin Wed, 08 Jul 2009 16:52:00 +0000 http://i8jesus.com/?p=55#comment-15833 Hmm.. how come you expected ANYTHING different? This is CA, the company that invented "worst of breed" in security. Hmm.. how come you expected ANYTHING different? This is CA, the company that invented “worst of breed” in security.

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=55&cpage=1#comment-15236 arshan dabirsiaghi Sat, 04 Jul 2009 04:07:33 +0000 http://i8jesus.com/?p=55#comment-15236 any collection of bytes will pass as long as they don't overlap with the bad characters in ascii values 0-128 any collection of bytes will pass as long as they don’t overlap with the bad characters in ascii values 0-128

]]> By: bbq ribs dud http://i8jesus.com/?p=55&cpage=1#comment-14863 bbq ribs dud Tue, 30 Jun 2009 22:19:50 +0000 http://i8jesus.com/?p=55#comment-14863 does your assertion include Hangul Syllables? does your assertion include Hangul Syllables?

]]> By: arshan dabirsiaghi http://i8jesus.com/?p=55&cpage=1#comment-13618 arshan dabirsiaghi Sun, 14 Jun 2009 19:41:48 +0000 http://i8jesus.com/?p=55#comment-13618 i have to say your comment was perfection i have to say your comment was perfection

]]> By: Jim Manico http://i8jesus.com/?p=55&cpage=1#comment-13137 Jim Manico Tue, 09 Jun 2009 22:20:52 +0000 http://i8jesus.com/?p=55#comment-13137 This is a brilliant piece of work and pursuit of the truth. I have no technical comment because the message above already achieved perfection. This is a brilliant piece of work and pursuit of the truth. I have no technical comment because the message above already achieved perfection.

]]>