[VIM] Diabolic Crab history
security curmudgeon
jericho at attrition.org
Sun May 22 16:02:48 EDT 2005
Since it has come up a few times between OSVDB folks, and several vendors
have replied to us about reported vulnerabilities, I dug up a list of
examples where Diabolic Crab made signficant errors or failed to respond
to my questions. This comes after him getting upset that I said he
released advisories with errors.
----
From: security curmudgeon <jericho at attrition.org>
To: Diabolic Crab <dcrab at hackerscenter.com>
Date: Wed, 20 Apr 2005 12:01:06 -0400 (EDT)
Subject: Re: DUportal Pro 3.4 has MANY Sql injection and Sql Errors.
Hi Dcrab,
: Title: DUportal Pro 3.4 has MANY Sql injection and Sql Errors.
[Advisory showing the same handful of vulns over and over due to using ../
notation. first mail was 138k and contained 556 examples of SQL Injection.
in reality, this was only 10 scripts vulnerable.]
----
"HTTP response splitting" Fiasco:
original post:
http://archives.neohapsis.com/archives/bugtraq/2005-04/0186.html
someone pointing out his cut/paste solution to all vulnerabilities may not
apply here:
http://archives.neohapsis.com/archives/bugtraq/2005-04/0238.html
someone points out this isnt an http response splitting attack:
http://archives.neohapsis.com/archives/bugtraq/2005-04/0246.html
someone points out his paper is based on another:
http://archives.neohapsis.com/archives/bugtraq/2005-04/0254.html
----
From: Massimo Arrigoni
To: moderators at osvdb.org
Date: Fri, 8 Apr 2005 23:30:40 -0700
Subject: [OSVDB Mods] [Change Request] 15267: ProductCart storelocator_submit.asp country Variable XSS
Dear Sirs,
The file referenced in this posting ("storelocator_submit.asp") doesn't
even exist in ProductCart, our ecommerce application.
[mailed Dcrab, no reply]
----
http://digitalparadox.org/advisories/prodcart.txt
tarinasworld_butterflyjournal.asp doesn't exist in the package
when asked, reply:
"well its a customized version that i audited.. just try da journal
page.."
when asked about reporting site specific vulns as default package vulns,
no reply.
----
From: security curmudgeon <jericho at attrition.org>
To: Diabolic Crab <dcrab at hackerscenter.com>
Date: Mon, 11 Apr 2005 18:14:51 -0400 (EDT)
Subject: Re: Directory transversal, sql injection and xss vulnerabilities
in RadBids Gold v2
[asked for clarification on vuln, no reply]
More information about the VIM
mailing list