[VIM] [OSVDB Mods] [Change Request] 2015549: Ariadne CMS loader.php Remote File (fwd)

security curmudgeon jericho at attrition.org
Tue Jul 5 08:19:18 EDT 2005



---------- Forwarded message ----------
From: Gijsbert te Riet <gijs at muze.nl>
To: moderators at osvdb.org
Date: Mon, 4 Jul 2005 13:16:17 +0200 (CEST)
Subject: [OSVDB Mods] [Change Request] 2015549: Ariadne CMS loader.php Remote
     File

Dear reader,

The vulnerability report on your site, titled 'Ariadne Include File Flaw
Lets Remote Users Execute Arbitrary Commands', is inaccurate.

The report states that, by passing the variable 'ariadne' to the system,
"A remote user can execute arbitrary commands on the target system". This is 
flawed, since on each request, the first thing that is done, is setting
the 'ariadne' variable to a admin configed string. This is done by loading
the configuration file 'ariadne.inc'. After that, the 'ariadne' variable will
not contain any information entered via web.

We regret it that we were not informed about this 'flaw' before you
published it on your site, and had to find it by accident. It would have
been more appropriate to contact the developer of the system before letting
lose this kind of critical information. That way a fix (or in this case, an
counter argument) could have been made in a day, instead of 4 months.

We hope you will update your entry with this information, and inform us the
next time an issue about one of our project arises.

With kind regards,
Gijsbert te Riet.
Muze/ Ariadne.


More information about the VIM mailing list