[VIM] [OSVDB Mods] Re: [Change Request] 15549: Ariadne CMS loader.php Remote File (fwd)

security curmudgeon jericho at attrition.org
Tue Jul 5 08:19:22 EDT 2005



---------- Forwarded message ----------
From: security curmudgeon <jericho at attrition.org>
To: Gijsbert te Riet <gijs at muze.nl>
Cc: Mods <moderators at osvdb.org>
Date: Tue, 5 Jul 2005 08:04:49 -0400 (EDT)
Subject: [OSVDB Mods] Re: [Change Request] 15549: Ariadne CMS loader.php Remote
     File


Hi Gijsbert,

: The vulnerability report on your site, titled 'Ariadne Include File Flaw
: Lets Remote Users Execute Arbitrary Commands', is inaccurate.
:
: The report states that, by passing the variable 'ariadne' to the system,
: "A remote user can execute arbitrary commands on the target system".
: This is flawed, since on each request, the first thing that is done, is
: setting the 'ariadne' variable to a admin configed string. This is done
: by loading the configuration file 'ariadne.inc'. After that, the
: 'ariadne' variable will not contain any information entered via web.
:
: We regret it that we were not informed about this 'flaw' before you
: published it on your site, and had to find it by accident. It would have
: been more appropriate to contact the developer of the system before
: letting lose this kind of critical information. That way a fix (or in
: this case, an counter argument) could have been made in a day, instead
: of 4 months.

First, we did not publish this information originally. If you look at our
entry for this issue, there are several external references for this
vulnerability. Checking them, the SecurityTracker (ST) listing shows the
original point of disclosure: someone mailed ST with the vulnerability
information. You can see their entry at:
http://securitytracker.com/alerts/2005/Apr/1013721.html. From this, we see
"Fidel Costa reported a vulnerability in Ariadne."

Second, you say this is not an issue because the data is sanitized and
does not come from the user. Then you say you wish we had informed you of
this "critical information". If this is not an issue and the information
is inaccurate.. why exactly do you call this critical in the next
paragraph?

: We hope you will update your entry with this information, and inform us
: the next time an issue about one of our project arises.

At this point, I am not sure how serious of an issue this really is. The
original vulnerability reporter says this is an issue, you call this
"critical", then you also say this is "inaccurate".

OSVDB strives to have accurate information and will do everything we can
to achieve this. When the vendor sends conflicting statements, it is
usually difficult to gauge the severity of the problem. When a vendor
sends in conflicting statements within their own reply.. it is twice as
difficult.

Again, i'd like to point out that OSVDB did not research or publish this
information originally. We only cataloged it from another source. If any
of our staff find vulnerabilities in Ariadne, we will certainly notify the
vendor first.

Brian
OSVDB.org


More information about the VIM mailing list