-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ben, Bugtraq, For the record, AusCERT is more than happy to assist researchers with coordinated responsible vulnerability disclosure, in fact, you may remember us from coordinated vuln disclosures such as: http://www.auscert.org.au/render.html?it=4091 We are happy to work with researchers and vendors and to keep your details anonymous if you so wish. This of course typically relies on you contacting us prior to public disclosure. You mention in the below email that: "auscert (sic) have no vulnerability reporting option" granted, we have no webform that you can fill out and submit regarding vulnerabilities (and we have never had a request from a researcher to implement such a thing). All the AusCERT contact details are available from: http://www.auscert.org.au/1922 These options include: phone, fax, postal mail, email This page includes a link to our pgp key should you wish to communicate securely via email. We will certainly investigate this issue further, and will begin notifying potentially vulnerable parties exposed to this issue. Best regards, MacLeonard - -- MacLeonard Starkey, Security Analyst | Hotline: +61 7 3365 4417 AusCERT | Fax: +61 7 3365 7031 Australia's National CERT | WWW: www.auscert.org.au Brisbane QLD Australia | Email: auscert@xxxxxxxxxxxxxx > Just fired this off to USCERT, not pretty. > > ---------------------------- Original Message ---------------------------- > Subject: jboss vulnerability > From: dexie@xxxxxx > Date: Tue, February 20, 2007 10:54 pm > To: "cert@xxxxxxxx" <cert@xxxxxxxx> > Cc: "soc@xxxxxxxxxxx" <soc@xxxxxxxxxxx> > -------------------------------------------------------------------------- > > Hi guys. > > I am an IT Security analyst in Canberra, Australia. > > I recently encountered an issue with jboss, which led me to do some Google > enumeration... > > http://www.google.com.au/search?q=inurl:inspectMBean > > The search will pull up around 41500 results. Click on any of the links > and you will gain access to the backend app (ie start/stop services, > modify data,etc). I do not know if this will work in all cases, however I > would recommend a good deal of caution if you do follow any of the links. > > Please let me know if you need any further info - I have nfi who to > actually contact as auscert has no vulnerability reporting option and this > is a first for me... > > > Regards, > Ben Dexter. > +61 2 6207 0368 -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRduI5Sh9+71yA2DNAQKiNwP/e/EkSLeP4R59Gdvo0j9k0dNCbqPCXpUA 9Jlc4JNAyRM44Y8AWv8Az5L2C1PpPYi8TB/4H//5MKBpG6IQ0IOx7OLqAp61V0i5 ByD7lWHI3GSzuU4X8CJUCwY16N4bMCu/PjgH9dL+mt43bQZ0y5Fr8Ni9DhcdjUbR 1RDccFQXjuY= =3Rf4 -----END PGP SIGNATURE-----
