[VIM] Possible bogus old vuln notification - PunkBuster
Steven M. Christey
coley at mitre.org
Sat Aug 13 16:13:32 EDT 2005
Refs:
BUGTRAQ:20040219 PunkBuster SQL Injection Attack
URL:http://www.securityfocus.com/archive/1/354453
BID:9697
URL:http://www.securityfocus.com/bid/9697
SECTRACK:1009145
URL:http://securitytracker.com/id?1009145
XF:punkbuster-login-sql-injection(15267)
URL:http://xforce.iss.net/xforce/xfdb/15267
(heavily annotated CVE forthcoming)
The researcher, "Just1n T1mberlake," makes several questionable claims
in this report:
1) the reference to http://pbdb.sourceforge.net is actually for
"PB-DB", which is the PunkBuster Screenshot Database, apparently a
different product than "PunkBuster"
2) The download of Alpha 6 shows no reference to "Punky Brewster",
based on a case-insensitive grep of "punky" in the download, and a
Google search does not suggest any relationship between
"punkbuster" and "punky brewster"
3) The discloser claimed notification of a particular e-mail address
in 2004, but (a) the PB-DB home page does not have this address,
and (b) the last release was in October 2001, suggesting an
abandoned project.
4) The following source code is claimed to be affected:
query = "select count(*) from users where menuboy = 'weaklikepr4wn' &
userName='" & userName & "' and userPass='" & password & "' & cumquat = 1"
However, I searched the source for "query", "select", "menuboy",
and "username" but did not find this source code.
In short, it is highly likely that this post was bogus.
- Steve
More information about the VIM
mailing list