oh cool, nice one (again)

(seperate topic but I can't be arsed starting a new thread)
Did you get that odd Symantec email about a BH vulnerability?

Yep.

 

If it's the vulnerability I think it is, it's already been reported and disclosed by FrSIRT and the US National Vulnerability Database, and as such already public, so I don't know why they've asked for encryption of the emails. Regardless I've made myself a PGP key and sent it to them as requested and I'll wait and see what they say.

 

If you want in you can probably generate and send them your PGP key as well I guess.

Ah ok, I thought it was something special because of all the PGP/encryption stuff.

Don't know if Yahoo or Gmail can do PGP stuff, so wont bother with that.

Was thinking of looking for a scanner thing to automatically pick up vulnerabilities before they hit security places - we use one at work, but it's expensive... I'm sure there's a free one somewhere though.

I've been using Acunetix WVS5 recently but the free version is quite heavily restricted and will only check for the more basic XSS exploits plus it takes an aeon to do anything so scanning for flaws takes at least several hours, especially on a project like Beehive.

I know nothing about this stuff, including what it is and isn't safe to say in public without giving too much away, but I'm curious to know more. What damage could someone do with this vulnerability? Big damage?

The one reported by FrSIRT is a cross site scripting flaw which allows injection of Javascript into pages.

 

Symantec haven't got back to me yet regarding their discovery.