A user posted a log entry: Concerning GET request in logs
I found an associated CVE of the vulnerability trying to be exploited. Is it okay to post and/or link the CVE number for clarification?
3
-
Why are you asking?– schroeder ModCommented May 13, 2021 at 18:59
-
1Because I found the CVE associated with the linked question and was thinking about posting the CVE. However, some might see that as inappropriate.– Nathan GoingsCommented May 13, 2021 at 19:03
-
5That's what I'm asking. What could be inappropriate?– schroeder ModCommented May 13, 2021 at 19:04
Add a comment
|
1 Answer
Yes, it's acceptable to post the CVE. You can discuss the vulnerability in any level of detail you'd like. You could even post a proof-of-concept exploit if you wish. If you are writing an answer though, make sure that it answers the question as fully as possible. A link to a CVE and nothing more is not enough.
-
1Careful with posting overly-detailed or overly-destructive exploit code. I have always had the impression that security.SE does not want to be a site for offensive hacking techniques and such questions / answer may get closed / deleted. Maybe this should be a different meta question though ... Commented May 19, 2021 at 0:57
-
5@MikeOunsworth I don't think so, since offensive techniques are the bread and butter for pentesters who would otherwise not get as much out of the answer. Of course, misleading destructive code that someone could accidentally run would not be allowed, but for different reasons (e.g. "run this code to turn on this security configuration" when the code actually deletes all your files). I've posted PoCs here and explained in great detail how to install rootkits and bypass detection mechanisms, etc. It's allowed because it helps pentesters. Blackhats don't have a monopoly on offensive security!– forestCommented May 19, 2021 at 1:05
-
If you're posting proof-of-concept implementations of vulnerabilities that have not yet been disclosed, then, yeah, it'd be unethical — as would it be to post a CVE in conjunction with, say, a corresponding Googledork. But if it's already been publicly disclosed, and you're not encouraging or expediting any access to vulnerable systems, it's probably fine. Commented May 19, 2021 at 13:25
-
4@JamesTheAwesomeDude I disagree. Although there are better places for full disclosure than Stack Exchange, there's nothing wrong with it. Not everyone thinks coordinated disclosure is the answer. If someone asks a question and you're digging deep into it to try to find the answer and it turns out the answer involves a new vulnerability, you shouldn't have to embargo your answer and wait to get a CVE assigned or something.– forestCommented May 19, 2021 at 21:12
-
@MikeOunsworth offensive questions do indeed thend ot be closed, and several people have commented on it in the past.. security.meta.stackexchange.com/questions/3370/…, security.meta.stackexchange.com/questions/296/…, security.meta.stackexchange.com/questions/897/…, etc. Exploit dev questions get moved stating that shellcode == programming, not security. Yet "is function x() secure" can stay. Commented May 25, 2021 at 3:22
-
@wireghoul Those that are closed are not closed because they are offensive questions, but because they belong somewhere else or are genuinely about breaking a specific system which is off-topic due to not being generalizable to other people.– forestCommented May 25, 2021 at 21:58
-
Except all the ones I vote reopen on, and some that are called out in those posts. You're free to believe that the system works perfectly, but I think otherwise. You only need about 5 active users who vote adversarially against offensive questions to close the question and there isn't a counter vote until that point and this can easily drive users off the platform. Anyway, the fact that a number of users keep making the complaint over a period of time doesn't seem to warrant reflection or meaningful discussion suggests the issue is largely decided Commented May 26, 2021 at 2:15