[VIM] Timecan CMS = in house service, not a sellable product

security curmudgeon jericho at attrition.org
Fri Jan 27 10:19:42 EST 2006 


---------- Forwarded message ----------
From: Markku Alikoski <markku.alikoski at idbbn.fi>
To: 'security curmudgeon' <jericho at attrition.org>
Date: Fri, 27 Jan 2006 10:38:23 +0200
Subject: RE: [OSVDB Mods] About reported vulnerability

Hi Brian,

that's the case - Timecan CMS is an in-house production tool.
All installed versions of Timecan CMS are running on servers maintained by
our company.
Idea Development ID is an privately owned B2B advertising agency and we are
providing contentent management and
web campaigning as an additional service for our clients.

Timecan CMS is a tool I have developed to:
 	-allow our no-tech creative staff set up web sites fast
 	-produce web metrics and reports that make sense for our marketing
dept.
 	-execute and follow print, banner and e-mail campaigns for our B2B
clients

The mechanism how we got reported on several security sites is unfamiliar to
me,
but who ever it was, he / she was right - there was a possibility for
injection.
Given that:
 	-there are only a handfull of query parameters that the system is
reacting to
 	-all querying is handled by a single function
it was relatively easy to patch the system by validating the query string
input before processing.

Regards,

Markku Alikoski
System Architect
Idea Development ID Ltd.
Aurakatu 3 B
FI-20100 Turku
Finland
Mobile +358 40 571 8172
Phone +358 2 8145 0707
markku.alikoski at idbbn.fi
http://www.idbbn.fi


-----Original Message-----
From: security curmudgeon [mailto:jericho at attrition.org]
Sent: Friday, January 27, 2006 5:51 AM
To: Markku Alikoski
Cc: moderators at osvdb.org
Subject: Re: [OSVDB Mods] About reported vulnerability


Hi Markku,

: concerning reported vulnerability http://www.osvdb.org/22252
:  An upgrade exists and is already installed on all running versions of
: Timecan CMS.

Can you provide a little more information? Your wording makes it sound like
the CMS has an auto-update feature, or all the Timecan CMS sites are managed
by you, else how would you know that all running versions were upgraded. Is
that the case? If you could share a little more information about your
product I would appreciate it.

Brian
OSVDB.org

More information about the VIM mailing list