[VIM] Vendor dispute / clarification for CVE-2005-4515 (WebDB)

Matthew Murphy mattmurphy at kc.rr.com
Tue Mar 7 16:38:24 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Steven M. Christey wrote:
> FYI.  My read is that the reported vulnerability was in a single
> customized web site.  Also, from the sound of things, the software is not
> directly distributed to customers, rather it is controlled by the vendor.

My read is different.  I read it as "we added code [to the global
codebase] so that one client could test his/her use of the software."

This makes more sense to me when combined with the "No... patch is
required... all clients use a common code library" statement.

Bottom line... it's about as clear as mud.

> - Steve
> 
> ---------- Forwarded message ----------
> Date: Tue, 7 Mar 2006 21:03:28 -0000
> From: Lois Software
> To: cve at mitre.org
> Subject: CVE-2005-4515 (under review)
> 
> [snip]
> 
> WebDB is a generic online database system used by many of the clients of
> Lois Software. The flaw that was identified was some code that was added for
> a client to do some testing of his system and only certain safe commands
> were allowed. This code has now been removed and it is not now possible to
> use SQL queries as part of the query string.
> 
> No installation or patch is required All clients use a common code library
> and have their own front end and databases and connections. So as soon as a
> change / upgrade / enhancement is made to the code, all users of the
> software begin to use the latest changes immediately.
> 
> A message has also been put on the original posting site.
> 
> Many Thanks
> 
> Lois Software - Bristol - England
> www.loissoftware.com
> 

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

iD8DBQFEDf1Pfp4vUrVETTgRAxeIAJ4hYtfzhMPYXQZpuXzOFdqdHU/uhACcCKyo
/FSRQx5yGV5TrLZrWB95d30=
=kzt0
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.attrition.org/pipermail/vim/attachments/20060307/f0bcbb2d/attachment-0001.bin 


More information about the VIM mailing list