[VIM] Re: Diabolic Crab history

Steven M. Christey coley at mitre.org
Wed May 25 00:19:19 EDT 2005


I've noticed a pattern for some researchers who first start out
publishing everything under the sun, when it's raw and riddled with
mistakes.  But some develop into solid researchers, possibly even at
the professional level.  Whether Diabolic Crab goes this route will
take some time to find out.

I distinctly remember the DUportal example, once you mentioned it.
Looked like a raw dump of a brute force web app scanner.  A CVE
content team member initially gave up and just said "many scripts" in
the draft description for the CAN, but I decided to dig deep into it
and came up with roughly the same results that you did.

The CVE read on DUportal (CAN-2005-1224) is:

  Multiple SQL injection vulnerabilities in DUportal Pro 3.4 allow
  remote attackers to execute arbitrary SQL commands via the (1)
  nChannel parameter to default.asp, cat.asp, or detail.asp, (2) the
  iChannel parameter to search.asp, default.asp, result.asp, cat.asp, or
  detail.asp (3) the iCat parameter to cat.asp or detail.asp, (4) the
  iData parameter to detail.asp or result.asp, the (5) POL_ID, (6)
  POL_PARENT, (7) POL_CATEGORY, (8) CHA_NAME, or (9) CHA_ID parameters
  to inc_vote.asp, or the (10) tfm_order or (11) tfm_orderby parameters
  to toppages.asp, a different set of vulnerabilities than
  CAN-2005-1236.

(CAN-2005-1236 was created for a different version).

HTTP Response Splitting is a fairly complicated problem, so his
mis-statements in that department are understandable.  As Amit Klein
pointed out in a reply, there was CRLF injection, so there *was* a
possible vector for response splitting, just not the example that
DCrab gave.

The tarinasworld example is already noted with a question mark in CVE
(CAN-2005-0994), but thanks for the info on storelocator_submit.asp
not being in ProductCart (CAN-2005-0995).  I've since updated
CAN-2005-0995 accordingly.

- Steve


More information about the VIM mailing list