[VIM] The provenance problem - one example
Steven M. Christey
coley at mitre.org
Fri Jan 6 19:13:32 EST 2006
I've been thinking of the "provenance problem" as having multiple
aspects:
- the raw sources of vulnerability information are numerous and
scattered; there is no longer a single source through which 90% of
issues are published
- with the emergence of competitive Refined Vulnerability Information
(RVI) sources, there is often a dis-incentive to link to other
sources, and there may be multiple reasons for not linking to the
original advisory
- researchers sometimes only send information directly to the RVI,
instead of public channels
- RVIs perform additional analysis, but the nature and quality of
this analysis is usually hidden
With the provenance problem, there's more work for RVI sources and
more dependence on the accuracy of other RVIs when they are the sole
source.
Case in point...
- SECUNIA:18324 / BID:16159 reported an SQL injection in Timecan CMS
via the viewID parameter. Credit: Preddy
- FRSIRT:ADV-2006-0078, on the same day, reported an SQL injection in
Timecan CMS with the email parameter to mcl_login.asp. Credit:
Preddy.
So, is this the same vuln or not? Date of disclosure and researcher
is the same. Attack details appear to be different. Maybe one RVI
source did some deeper analysis, maybe not. As an outsider you can't
tell without repeating the analysis on the product yourself.
Oh, by the way - a quick glance suggests that Timecan might be an
application service.
- Steve
PS. I need another term besides "RVI source"
More information about the VIM
mailing list