Re: Siebel Vulnerabilities

From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Tue Aug 02 2005 - 06:33:56 EDT


Scott Roberts wrote:

> Anyone have any insight into PenTesting/VulnAssessments on any
> version of Siebel? On searching many of the webs vulnerability
> databases (NTBugtraq, CVE, SecurityFocus) have nothing at all on any
> product. It cannot be that simple. I know it's built on a DB backend
> (which can obviously be attacked) and a potentially vulnerable OS, but
> I've been asked to look solely at the Siebel itself. Any help would
> be greatly appreciated.

Don't take vulnerabiltity databases as the holy grail. There are
_many_ products out there whose vulnerabilities do not get press
attention or coverage in vulnerability databases. Almost any complex
software systems (such as Tibco, Tivoli or HP Openview) do have a
number of security issues. However, few people are going to have the
opportunity to proper audit those as only a few corporations run them
and people auditing them are typically under NDA agreements. Unless
those that audit produce a flashy whitepaper ('Security in XXXX') you
will never find their security issues. Of course, some vendors do have
a clue and produces proper security guides for top-notch products that
might be usable as an audit checklist reference. However, these guides
might not be publicly available either.

Trust security vulnerability databases and sources for the common
stuff (i.e. wide-spread applications such as web servers or operating
systems), don't trust them to be accurate when dealing with uncommon
stuff only fortune 100 companies use.

Just my 2c

Javier

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:40 EDT