[VIM] Dragonfly Commerce disputes reports
security curmudgeon
jericho at attrition.org
Sun Jul 17 19:23:29 EDT 2005
: Dragonfly Commerce has notified CVE of a dispute over some recent
: Diabolic Crab posts on price modification and SQL injection.
: >Recently, we found numerous but identical reports by
: >http://www.dbtech.org who claims to have found security holes in
: >Dragonfly Commerce. This report is unfounded. The text shown in this
: >report are results of error messages from the author typing in invalid
: >category and product numbers which do not exist in the database
: >therefore creating an error message from the server.
Right.. merely inputting invalid content doesn't mean the product isn't
vulnerable though.
: >Dragonfly
: >Commerce does not allow for editing prices nor does it allow for
: >viewing information about clients stored in the database except by the
: >store owner and authorized staff as appointed in the store
: >administration.
So far this is a he said, she said issue. Historically many vendors have
said "we're not vulnerable" and offered little beyond that, only to find
from subsequent examination that it was indeed vulnerable.
: >We have not received nor have had any contact with the author of
: >these "security reports". We have no knowledge of any hidden pricing
: >and SQL vulnerablilties in our software.
Except the dcrab advisory supposedly..
: >Had our clients experienced
: >any security vulnerabilities, they would have reported them to us
: >giving us the opportunity to update the software. We handle work
: >with each of our clients individually and quickly. Anyone finding
: >any discrepencies should contact info at incredibleinteractive.com
Assuming the customer *noticed* it .. *and* diagnosed it .. *and* reported
it.
I really hate these types of disputes.
More information about the VIM
mailing list