On the topic of CyberGuard, here is some additional information regarding their desire for retractions and deletions. There is no additional vulnerability information but this may be of interest on the responsible disclosure front. There is also some information as to *why* CyberGuard has a strong desire to have the information retracted: : >> Don't know; Internet law is still very unclear in so many areas. : I found a shitty security issue in CyberGuard Firewall/Proxy some time : ago; they were pretty upset about it. Went to the top as far as I : understand it, to Paul Henry. : In any case, they asked me to issue a retraction statement saying the : security issue was false. I _did_ get the feeling the lawyers would : come out of the woodwork but I ignored them and they finally went away. : I'd say it was a pretty close shave. CyberGuard later contacted Secunia, SecurityTracker, OSVDB, SecurityFocus (BID) and likely ISS. Several of the vulnerability databases talked with each other about this. Carsten Eiram and Thomas Kristensen of Secunia performed some followup dialogue and eventually got CyberGuard to ack that it was "an issue". CyberGuard claimed that while it was an issue, it had no impact and therefore should not be in their database. : CyberGuard firewalls have zero vulnerabilities. Security Tracker agrees : to remove erroneous 'vulnerability' message posting. Stuart Moore of Security Tracker also had an email thread with CyberGuard over all of this, but it didn't play out quite like they claim. From correspondance between Stuart and myself: After consideration (but with no testing of our own, as we don't have access to the product), we concluded that there was no significant security impact from the ability to execute scripting code in the context of the proxy. [..] So, we modified our alert to say that we would delete the alert on the basis that it was not a genuine *cross-site* scripting issue. Regrettably, Cyberguard then issued a press release saying "SecurityTracker agrees that there is no vulnerability" or something similar. When Derek Cheung of CyberGuard contacted OSVDB, he was initially very firm and the tone of the mail was a bit hostile. After talking with other VDBs and looking at all of the original information, OSVDB determined we would not delete the entry (OSVDB 3132), nor flag it as a myth/fake entry. We did add a technical note that clarified the extent of the vulnerability, and how it was not a standard XSS attack. Also of note, CyberGuard's response to the original issue: http://www.osvdb.org/ref/03/03132-vendor-response.pdf : CyberGuard make decent firewalls; the manner in which they manage their : response to security vulnerbilities is poor. Months after the whole saga of this vulnerability, Jake Kouns of OSVDB discovered why it was such an issue to them most likely. http://www.cyberguard.com/resources/ads/CyberGuard_uk_zero_vulnerabilities.pdf http://www.cyberguard.com/news_room/recent_ads.cfm Also on page 59 of Information Security Magazine (08/04 issue i think) contained an advertisement for CyberGuard. The heading was "How do you measure ROI?", halfway down it says "Discover the power of zero vulnerability security" and lists several firewall vendors in a chart, along with how many vulnerability entries could be found in BID, X-Force, CVE, CERT and CIAC. For CyberGuard, predictably, it listed '0'. So having a CyberGuard vulnerability in the databases made this advertisement untrue. I can understand they would want 0 listed, every security vendor would want that. However, their agressivement pursuit of removing it from all of the databases backfired a bit. As it stands, there are entries all over: BID 9245 - deleted CVE - none ISS 14034 - CyberGuard invalid domain cross-site scripting Secunia 10472 - CyberGuard Error Page Cross-Site Scripting Vulnerability SecurityTracker 1008526 - CyberGuard Firewall Proxy Error Page Input .. OSVDB 3132 - CyberGuard Firewall/Proxy Error Page Input Validation Weakness Also amusing, this prompted me to do a 10 minute search through past security mail list archives and I found material that will likely lead to several other CyberGuard vulnerability entries, shattering the '0 Vulnerability' record a bit more. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html