[VIM] Likely errors in PhpAuction report
security curmudgeon
jericho at attrition.org
Wed Jul 13 02:45:48 EDT 2005
: Regarding Diabolic Crab's report on PhpAuction vulns, archived here:
:
: SECTRACK:1014423
: URL:http://securitytracker.com/id?1014423
:
: (CAN-2005-2252, CAN-2005-2253, and CAN-2005-2254 forthcoming)
:
: has a couple oddnesses about them. Specifically, some URLs contain
: "/phpauction-gpl-2.5/" whereas others don't.
:
: There is further evidence from the raw error outputs that some, or all,
: of these results were obtained by testing on a live web site.
He has tested live sites to find many of his previous vulnerabilities. I
have called him on it in private mails and even got into a small spat with
him with a vendor CC'd. =)
Some of his previous reports were just unclear. Others screamed 'live site
only'. Some of them were redundant or had been previously disclosed.
: Given this, there is some evidence that the "viewnews.php" and
: "login.php" errors are specific to the live web site and *not* the
: PhpAuction product; however the PhpAuction source code isn't available
: so I can't be sure.
:
: Normally I might not comment on this but if I'm right, then a lot of
: DB's didn't catch this.
I haven't created entries for these because I haven't had time to look at
his info closely, something we learned is a must based on his past
vulnerability disclosures.
More information about the VIM
mailing list