[VIM] RE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0478 (fwd)

Steven M. Christey coley at linus.mitre.org
Fri Feb 3 20:33:40 EST 2006


An interesting additional bit of information - a claim that the researcher
reverse-engineered the patches?

---------- Forwarded message ----------
Date: Fri, 03 Feb 2006 18:59:50 -0600
From: David M. Graham
To: cve at mitre.org
Subject: RE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0478

Your CVE-2006-0478 entry is largely correct.

The potential for this exploit was recognized by us approximately a
month ago, and we immediately developed a patch.

The initial announcement of this risk was made on our website at
http://creloaded.com , and it included a patch which will close the
vulnerability on all
known 6.0x and 6.1x releases.   Subsequently, announcements were made to
several security organizations by an individual who included links to a
freely available script written to take advantage of the previously
publicized issue on unpatched releases.

Despite multiple notifications to registered users, distribution of the
patch remained low and this remains a serious threat.  We strongly
encourage users of CRE Loaded 6.x , osCMax, and other users of
osCommerce who have installed HTMLArea based WYSIWYG editors and Admin
Access with Levels to modify thier installations at the earliest
possible moment.


Regards,

David M. Graham,
CRE Loaded Project Manager
Chain Reaction Works, Inc.




More information about the VIM mailing list