[VIM] The provenance problem - one example

Steven M. Christey coley at mitre.org
Fri Jan 6 19:13:32 EST 2006

I've been thinking of the "provenance problem" as having multiple

 - the raw sources of vulnerability information are numerous and
   scattered; there is no longer a single source through which 90% of
   issues are published

 - with the emergence of competitive Refined Vulnerability Information
   (RVI) sources, there is often a dis-incentive to link to other
   sources, and there may be multiple reasons for not linking to the
   original advisory

 - researchers sometimes only send information directly to the RVI,
   instead of public channels

 - RVIs perform additional analysis, but the nature and quality of
   this analysis is usually hidden

With the provenance problem, there's more work for RVI sources and
more dependence on the accuracy of other RVIs when they are the sole

Case in point...

 - SECUNIA:18324 / BID:16159 reported an SQL injection in Timecan CMS
   via the viewID parameter.  Credit: Preddy

 - FRSIRT:ADV-2006-0078, on the same day, reported an SQL injection in
   Timecan CMS with the email parameter to mcl_login.asp.  Credit:

So, is this the same vuln or not?  Date of disclosure and researcher
is the same.  Attack details appear to be different.  Maybe one RVI
source did some deeper analysis, maybe not.  As an outsider you can't
tell without repeating the analysis on the product yourself.

Oh, by the way - a quick glance suggests that Timecan might be an
application service.

- Steve

PS.  I need another term besides "RVI source"

More information about the VIM mailing list