[VIM] [OSVDB Mods] [Change Request] 17460: Whois.Cart language Variable Traversal Arbitrary File Access (fwd)

security curmudgeon jericho at attrition.org
Fri Jul 8 00:32:23 EDT 2005 


---------- Forwarded message ----------
From: S. Alexandre M. Lemaire <saeven at saeven.net>
To: moderators at osvdb.org
Date: Fri, 8 Jul 2005 00:27:57 -0400
Subject: [OSVDB Mods] [Change Request] 17460: Whois.Cart language Variable
     Traversal Arbitrary File Access

Dear OSVDB,

       I'm writing to report that this vulnerability is false and it would 
be appreciated if it could be removed immediately.  We're willing to 
provide you with a test environment on which you can confirm our claim if 
the links below do not satisfy.  Note that the script's nature, being PHP, 
is subject to it's environments security as well.  Further, the reportedly 
affected components are subject to user modification, and could have been 
compromised by an uncautious customization on behalf of an unknowing user, 
if not a poorly configured operating platform.  I can ensure that user 
input, using the script in default form, is properly sanitized.

     Your "manual testing notes" on even our online demo, fail outright:
      http://[victim]/whoiscart/?language=../../../../../../../../../../../../../etc/passwd%00

     replace with the url of our demo:
     http://demo.whoiscart.net/?language=../../../../../../../../../../../../../etc/passwd%00

     Achieves no result whatsoever.  The demo is running a publically 
released version.

     Should you refuse to comply however, kindly provide your mailing 
address and legal contact that our counsel may contact you appropriately; 
loss of business incurred by such falsifications posted in public mediums 
could be severe and should be remedied.  We've recently received blackmail 
threats from a certain individual - it is all too coincidental that these 
would appear just now after the latter threat.  We believe these to be 
malicious acts by this same wrongdoer, your assistance in the matter is 
appreciated.  I hope you can agree, that businesses should not be subject 
to the whims of anonymous wrongdoers.  Careful examination of the link 
above will hopefully display that your posting, is just such a maliciously 
intended act.

Regards.
S. Alexandre Lemaire,
President, saeven.net
saeven at saeven.net

More information about the VIM mailing list