[VIM] Likely errors in PhpAuction report

security curmudgeon jericho at attrition.org
Fri Aug 26 02:18:44 EDT 2005


: (CAN-2005-2252, CAN-2005-2253, and CAN-2005-2254 forthcoming)
: 
: has a couple oddnesses about them.  Specifically, some URLs contain 
: "/phpauction-gpl-2.5/" whereas others don't.
: 
: There is further evidence from the raw error outputs that some, or all, 
: of these results were obtained by testing on a live web site.
: 
: Given this, there is some evidence that the "viewnews.php" and 
: "login.php" errors are specific to the live web site and *not* the 
: PhpAuction product; however the PhpAuction source code isn't available 
: so I can't be sure.
: 
: Normally I might not comment on this but if I'm right, then a lot of 
: DB's didn't catch this.

Mailed the vendor originally, fast reply saying they were auditing and 
would confirm. Didn't hear back, pinged them a week ago and still no 
reply. Bleh.



More information about the VIM mailing list