[extremest]

I have noticed a few sites that may be open to sql injection. Since I am no expert in this matter what should I do. Contact the site or the isp about it so that they can maybe fix the problem. Or should I try to find out who made it and let them know instead. Please let me know.

[sabrodiesel2000]

First of all, contact the isp so that they can block the suspicious packets from the speicific site to the local zone.......then probably they will contact the website people themselves..

[extremest]

sabrodiesel2000, on May 6 2005, 11:34 AM, said:

First of all, contact the isp so that they can block the suspicious packets from the speicific site to the local zone.......then probably they will contact the website people themselves..

<{POST_SNAPBACK}>

ok so then should I just use senderbase to find the info on the site for the isp? I am new to this.

[Blake]

Unfortunatly I would say any contact that you may make should only be made annotmously. So many different companies I have seen turn around and cause legal isssues for guys that have been nice enough to point out the problems. So if I were you would pull up the rgistration information for the companies domain and then send an email anonymously.

[extremest]

GSecur, on May 6 2005, 12:08 PM, said:

Unfortunatly I would say any contact that you may make should only be made annotmously. So many different companies I have seen turn around and cause legal isssues for guys that have been nice enough to point out the problems.  So if I were you would pull up the rgistration information for the companies domain and then send an email anonymously.

<{POST_SNAPBACK}>

Thanks for the help. Also should I let sites know about XSS that is capable on their site?

[extremest]

ok now I feel like an idiot. Who exactly should I e-mail and if not the site itself where can I get the info.

[sabrodiesel2000]

nice piece of advice GSEC...and yes extremest go ahead anonymously.

[Kenny]

what i tend to do is use an external e-mail account for exploit reporting only and using my Nick... never my real name ...yet

here look at this example from today

http://securitytracker.com/id?1013903

ok it states am from GSO... but e-mail account dont point here... i found 98% of vendors i have informed or admins.... respect what you find.... after all...you are trying to help them

some guys... i know have used alias names in the past and have decided to change and use there real names.... fair play ..thats down to them , but they have to tread with care.... in some cases...they could be the Next Adrian Lamo... and end up being locked up

but in general... as long as you state to the admin , vendors etc .. from a security point of view... then you should be ok to report.... in a similar way i do

[extremest]

Thanks a lot for that. Am going to get busy trying to let these sites know about what I have found.

[Kenny]

btw... if you contact some of the sites like securitytracker , bugtraq.... they will inform the vendor's for you ...if you wish to remain totaly anon

just mention it... if you submit a report ;)

[extremest]

I have one more quick question. How do you find out what type of software it is? For the vendor. Do I just tell security tracker the site and the bug and they will figure it all out or what?

[Kenny]

uhhh

IPB is a product owned and copyrighted by invisionboard.com

BulletProof FTP is a product owned by DigitalCandle.com

Windows is a product owned by every hacker under the sun oh and microsoft.thingy

do some reseach on the product and vendor before you try and exploit it... ? like check out previous bugtraq reports or securitytracker vendor history , or secunia , Cert records ...etc

[extremest]

Well reason I am asking is that I am not sure where the software they are using is coming from. I have a affiliate site with one of them and noticed an sql-injection issue in there software. Didn't know if I should just contact them anon about the issue so that they can fix or what.