[HECnet] Security hole in CSWS

Yes, I have reported it to VMS engineering in India about an hour ago (well I assume in India, the guys had subcontinent accents) and they said they'd get back to me. I'm trying to be reasonably "responsible disclosure" about this, so please don't spread the news TOO widely before HP gets a chance to fix this (== no posts to comp.os.vms or 'Full Disclosure' please :) but feel free to warn any responsible parties you think need a heads up. I will be posting an advisory later to Bugtraq or some such once HP has managed to fix the issue. Sampsa On 21 Sep 2009, at 21:46, Brian Hechinger wrote: On Mon, Sep 21, 2009 at 08:17:02PM +0100, Sampsa Laine wrote: Guys, What do you guys think, worth getting in touch with HP? I think this could be a potential disaster waiting to happen... A VMS Guru friend of mine replied with this: ======================================================================= Not surprising. I would guess that the source code makes some bad assumptions about file specifications. It should definitely be reported to HP. ======================================================================= -brian -- "Coding in C is like sending a 3 year old to do groceries. You gotta tell them exactly what you want or you'll end up with a cupboard full of pop tarts and pancake mix." -- IRC User (http://www.bash.org/?841435)