[VIM] Smartor Photo Album - dispute

security curmudgeon jericho at attrition.org
Tue Jun 6 05:17:32 EDT 2006


original disclosure:
http://archives.neohapsis.com/archives/bugtraq/2005-04/0190.html

I did a spot check of the distribution and didn't see an occurance of 
'bsid' either. Posting my reply after this mail.

---------- Forwarded message ----------
From: "[ISO-8859-1] Sönke"
To: security curmudgeon <jericho at attrition.org>
Date: Wed, 31 May 2006 15:25:18 +0200
Subject: Re: Wrong information

Hello Brian...

thank you for reminding me on this matter.

The reports on smartor photo album http://www.osvdb.org/15933 and 
http://www.osvdb.org/15932 state, that a varibale named BSID (which most should 
be related to the session-ID-controll in phpBB) is not validated. I talked to 
smartor and worked with that very script for myself for quite some time. 
Smartor said, that he never used BSID.. thus it cannot be transmitted. I myself 
verified this in all files and code comming with Smartor's Photo Album Hack.

If there's a not validated var called BSID it is most likely part of some addon 
for the photo album and not part of the original code. Thus I think it is not 
right to list the above mentioned item in the database..

Thank you

Minc


More information about the VIM mailing list