[VIM] Dragonfly Commerce disputes reports

security curmudgeon jericho at attrition.org
Sun Jul 17 19:23:29 EDT 2005


: Dragonfly Commerce has notified CVE of a dispute over some recent 
: Diabolic Crab posts on price modification and SQL injection.

: >Recently, we found numerous but identical reports by
: >http://www.dbtech.org who claims to have found security holes in
: >Dragonfly Commerce. This report is unfounded. The text shown in this
: >report are results of error messages from the author typing in invalid
: >category and product numbers which do not exist in the database
: >therefore creating an error message from the server.  

Right.. merely inputting invalid content doesn't mean the product isn't 
vulnerable though.

: >Dragonfly
: >Commerce does not allow for editing prices nor does it allow for
: >viewing information about clients stored in the database except by the
: >store owner and authorized staff as appointed in the store
: >administration.

So far this is a he said, she said issue. Historically many vendors have 
said "we're not vulnerable" and offered little beyond that, only to find 
from subsequent examination that it was indeed vulnerable.

: >We have not received nor have had any contact with the author of
: >these "security reports". We have no knowledge of any hidden pricing
: >and SQL vulnerablilties in our software. 

Except the dcrab advisory supposedly..

: >Had our clients experienced
: >any security vulnerabilities, they would have reported them to us
: >giving us the opportunity to update the software. We handle work
: >with each of our clients individually and quickly. Anyone finding
: >any discrepencies should contact info at incredibleinteractive.com

Assuming the customer *noticed* it .. *and* diagnosed it .. *and* reported 
it.

I really hate these types of disputes.


More information about the VIM mailing list