[VIM] Q2 Solutions ConnX - timeline
security curmudgeon
jericho at attrition.org
Tue Apr 7 02:24:56 UTC 2009
http://archives.neohapsis.com/archives/bugtraq/2009-04/0018.html
Recommendation:
Vendor refused to comment on whether they would develop a patch or even notify
existing client base.
Workaround: Remove ConnX server from public Internet access and protect behind
corporate firewalls, SSL-VPN, web application firewall etc.
Disclosure timeline:
30-Oct-2008 - Discovered during audit.
05-Nov-2008 - Notified vendor. Vendor declined to comment.
01-Dec-2008 - Submitted full details to vendor.
18-Dec-2008 - Attempted to contact vendor again for a patch release date.
18-Dec-2008 - And again...
18-Dec-2008 - Vendor response, no patch - "We support our clients,
not independent contractors."
03-Apr-2009 - Disclosure.
More information about the VIM
mailing list