[VIM] Re: CVE id: CAN-2005-1181

Tue Jul 5 14:00:14 EDT 2005

I suppose the 10 million comment will bite me someday, but it seems to be
a reasonable estimate.

- Steve

On Tue, 5 Jul 2005, Steven M. Christey wrote:

>
> On Mon, 4 Jul 2005, Gijsbert te Riet wrote:
>
> > Dear reader,
> >
> > The vulnerability report on your site, titled 'Ariadne Include File Flaw
> > Lets Remote Users Execute Arbitrary Commands', is inaccurate.
>
> We have modified the
>
> > We regret it that we were not informed about this 'flaw' before you
> > published it on your site, and had to find it by accident.
>
> Approximately 100 vulnerabilities per week are publicly reported, and it
> is estimated that full verification of each and every vulnerability report
> would likely cost in excess of 10 million dollars per year.  Therefore it
> is not possible for us to verify every report.
>
> To see how difficult it is to find vendor acknowledgement for large
> numbers of vulnerabilities, please read the following report:
>
>   "An informal analysis of vendor acknowledgement of vulnerabilities"
>   Steve Christey, Barbara Pease
>   http://cert.uni-stuttgart.de/archive/bugtraq/2001/03/msg00153.html
>
> However, we are always willing to post vendor disputes for inaccurate
> vulnerability information.
>
> I will forward your email to other vulnerability information sources so
> that they can make corrections.  You might wish to send a post to the
> Bugtraq mailing list, which will reach a wide audience.
>
> I have modified the CVE candidate accordingly; see below.  This will be on
> the CVE web site later today.
>
> > We hope you will update your entry with this information, and inform us the
> > next time an issue about one of our project arises.
>
> We are working on an automated capability to help us do this.  I will add
> your email address and the keyword "ariadne" to this capability.
>
> I apologize for the inconvenience and hope that our quick response is
> satisfactory.
>
>
>
> Regards,
> Steve Christey
> CVE Editor
>
> ======================================================
> Candidate: CAN-2005-1181
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1181
> Reference: OSVDB:15549
> Reference: URL:http://www.osvdb.org/15549
> Reference: SECTRACK:1013721
> Reference: URL:http://securitytracker.com/id?1013721
> Reference: XF:ariadne-loaderphp-file-include(20611)
> Reference: URL:http://xforce.iss.net/xforce/xfdb/20611
>
> ** DISPUTED **
>
> NOTE: this issue has been disputed by the vendor.  PHP remote code
> injection vulnerability in loader.php for Ariadne CMS 2.4 allows
> remote attackers to execute arbitrary PHP code by modifying the
> ariadne parameter to reference a URL on a remote web server that
> contains the code.  NOTE: the vendor has disputed this issue, saying
> that loader.php first requires the "ariadne.inc" file, which defines
> the $ariadne variable, and thus it cannot be modified by an attacker.
>
>
>