[VIM] Disputed vulnerability: Pixaria, PopPhoto (fwd)

Steven M. Christey coley at linus.mitre.org
Thu Jun 15 10:51:38 EDT 2006

Ref: CVE-2006-2395

The following "dispute"  is probably more of a clarification, sine the
vendor's web site has an announcement that specifically mentions SECUNIA
SA20087 and says a fix is available.  My read is: "Pixaria is not the
developer, only the distributor."

See the CVE description afterwards, which quotes from the relevant

- Steve

---------- Forwarded message ----------
Date: Thu, 15 Jun 2006 09:14:10 +0100
From: Jamie Longstaff
To: cve at mitre.org
Cc: nvd at nist.gov
Subject: Disputed vulnerability: Pixaria, PopPhoto

Disputed vulnerability: Pixaria, PopPhoto

To whom it may concern,

I wish to dispute the vulnerability listed for PopPhoto for the
following reasons:

1) PopPhoto is NOT a product of Pixaria.  It was a product of PopSoft
Digital and is only hosted by Pixaria as a courtesy since it was
withdrawn last year.

2) PopPhoto, the product with the vulnerability, is obsolete and has
not been available to the public for nearly a year.

3) The vulnerability listed was patched by the previous vendor and
all previous users have received this update.

Listing the vulnerability as something associated with Pixaria - my
company - is having a negative effect on my business when it's
nothing to do with me.


Jamie Longstaff
Pixaria Software

Name: CVE-2006-2395
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2395
Reference: MISC:http://pridels.blogspot.com/2006/05/popphoto-remote-file-inclusion-vuln.html
Reference: CONFIRM:http://www.pixaria.com/news/article/35/
Reference: BID:17970
Reference: URL:http://www.securityfocus.com/bid/17970
Reference: FRSIRT:ADV-2006-1792
Reference: URL:http://www.frsirt.com/english/advisories/2006/1792
Reference: OSVDB:25524
Reference: URL:http://www.osvdb.org/25524
Reference: SECTRACK:1016092
Reference: URL:http://securitytracker.com/id?1016092
Reference: SECUNIA:20087
Reference: URL:http://secunia.com/advisories/20087
Reference: XF:popphoto-poppconfigloader-file-include(26449)
Reference: URL:http://xforce.iss.net/xforce/xfdb/26449

PHP remote file inclusion vulnerability in
resources/includes/popp.config.loader.inc.php in PopPhoto Studio 3.5.4
and earlier allows remote attackers to execute arbitrary PHP code via
a URL in the include_path parameter (cfg['popphoto_base_path']
variable).  NOTE: the developer of this product is not Pixaria, as
claimed by some sources.

More information about the VIM mailing list