[VIM] Smartor Photo Album - dispute
security curmudgeon
jericho at attrition.org
Tue Jun 6 05:17:32 EDT 2006
original disclosure:
http://archives.neohapsis.com/archives/bugtraq/2005-04/0190.html
I did a spot check of the distribution and didn't see an occurance of
'bsid' either. Posting my reply after this mail.
---------- Forwarded message ----------
From: "[ISO-8859-1] Sönke"
To: security curmudgeon <jericho at attrition.org>
Date: Wed, 31 May 2006 15:25:18 +0200
Subject: Re: Wrong information
Hello Brian...
thank you for reminding me on this matter.
The reports on smartor photo album http://www.osvdb.org/15933 and
http://www.osvdb.org/15932 state, that a varibale named BSID (which most should
be related to the session-ID-controll in phpBB) is not validated. I talked to
smartor and worked with that very script for myself for quite some time.
Smartor said, that he never used BSID.. thus it cannot be transmitted. I myself
verified this in all files and code comming with Smartor's Photo Album Hack.
If there's a not validated var called BSID it is most likely part of some addon
for the photo album and not part of the original code. Thus I think it is not
right to list the above mentioned item in the database..
Thank you
Minc
More information about the VIM
mailing list