[VIM] PHPList - *not* vendor ACK for recent issue

Steven M. Christey coley at linus.mitre.org
Fri Aug 5 14:06:57 EDT 2005


from the vendor... (1) the security announcement was for older issues and
(2) the vendor can't reproduce the issues in the current stable version.

- Steve


---------- Forwarded message ----------
Date: Fri, 05 Aug 2005 09:27:41 -0300
To: Steven M. Christey <coley at mitre.org>
Subject: Re: Clarification requested on security announcement


Hi

No, that announcement is quite old, it was around November 2003 and it
affects version prior to 2.6.4
I have updated the page to reflect this information.

The vulnerability you mention was unknown to me, but I'm trying to
reproduce it and I'm not managing. The post does not actually mention
versions and if I try this on the latest stable version (2.8.12 released
October 2004) I don't get any disclosures

eg (the demo site)
http://www.phplist.com/lists/admin/?page=members&id=1%20union%20select%20null,password,null,null%20from%20phplist_admin%20where%20superuser=1/*sp_password

or the latest development version:
http://cvs.phplist.com/lists/admin/?page=members&id=1%20union%20select%20null,password,null,null%20from%20phplist_admin%20where%20superuser=1/*sp_password

the fact that the page mentions username and password is fine, because
that is in "demo mode only".

Regards
Michiel


Steven M. Christey wrote:

>Hello,
>
>I noticed your security announcement at:
>
>  http://tincan.co.uk/?lid=851
>
>Is this in response to the following Bugtraq post?
>
>  "PhpList Sql Injection and Path Disclosure"
>  http://marc.theaimsgroup.com/?l=bugtraq&m=112258115325054&w=2
>
>If so, then what are the affected versions?  The announcement has no
>date and no versions listed.
>
>
>Thank you,
>Steve Christey
>CVE Editor
>
>

-- 

least likely to say "it can't be done"
most  likely to say "if it's not in mantis, it won't be done"

t | i | n | c | a | n || l | t | d

         Buenos Aires | London | Machynlleth

t | i | n | c | a | n || l | t | d



More information about the VIM mailing list