[VIM] Likely errors in PhpAuction report
Steven M. Christey
coley at mitre.org
Wed Jul 13 02:32:25 EDT 2005
Regarding Diabolic Crab's report on PhpAuction vulns, archived here:
SECTRACK:1014423
URL:http://securitytracker.com/id?1014423
(CAN-2005-2252, CAN-2005-2253, and CAN-2005-2254 forthcoming)
has a couple oddnesses about them. Specifically, some URLs contain
"/phpauction-gpl-2.5/" whereas others don't.
There is further evidence from the raw error outputs that some, or
all, of these results were obtained by testing on a live web site.
Given this, there is some evidence that the "viewnews.php" and
"login.php" errors are specific to the live web site and *not* the
PhpAuction product; however the PhpAuction source code isn't available
so I can't be sure.
Normally I might not comment on this but if I'm right, then a lot of
DB's didn't catch this.
- Steve
More information about the VIM
mailing list