[VIM] vendor dispute: VCS

security curmudgeon jericho at attrition.org
Fri Mar 10 07:30:19 EST 2006

---------- Forwarded message ----------
From: VCS Service
To: moderators at osvdb.org
Date: Thu, 9 Mar 2006 22:32:05 -0600
Subject: [OSVDB Mods] FW: SQL Injection Vulnerability


You posted a vulnerability on your site here with our application:

I responded to the original posted weeks ago and never heard back (see my
message below).  We have explained that this vulnerability has been tested
and designed against.  We would be very interested in seeing any proof that
this can be accomplished as has been stated.

As developers I am not egotistical enough to say that it is outside the
realm of possibility, it is just that without proof this is no more then an
accusation.  We have made significant efforts to protect against this type
of vulnerability and your post is harmful to our company's reputation so we
must ask that you (or the submitter) prove that this is possible with proof
or remove this hurtful innuendo to our reputation.

Best Regards,

Nick Matteucci

VCS = Simple + Sensible + Supportable
Web-Based Project Management Software

Phone: 314-766-4612
Web:  www.vcsonline.com

-----Original Message-----
From: VCS Service
Sent: Tuesday, February 14, 2006 6:30 AM
To: Remco Verhoef (Intershare B.V.)
Subject: RE: SQL Injection Vulnerability

Hi Remco,

Thank you for writing.  We have a behind the scenes complex state management
system that uses a combination of keys placed in JavaScript and Session
State (server side) that protects against the type of SQL injection you
describe.  We have tested for many of the cases and have not found it to be
an issue.  We also compare with proprietary internal fields for the records
to be sure.

Were you able to modify or change another record then the one you were
navigating with through the querysting?  Please let us know how you
accomplished that and I would be most grateful to you.

Thank you

VCS Support Team

-----Original Message-----
From: Remco Verhoef (Intershare B.V.)
Sent: Tuesday, February 14, 2006 4:57 AM
To: information at vcsonline.com
Subject: SQL Injection Vulnerability

Dear VCSOnline,

While browsing through the demo, I encountered the following possible sql
injection flaw. When this flaw is abused there are several possibilities for
deleting, stealing data, installing trojans, depending on the configuration
of the database.

The url:

Returns the error:
  Microsoft OLE DB Provider for Oracle (0x80040E14)
  ORA-00933: SQL command not properly ended
/vpmi33/scripts/PM_Process/PM_Sub_Project_Pages/Service_Requests.asp, line

Which indicates that the parameter UpdateID0 is not properly sanitized
before executing it at the database.

Please correct this issue.

Kind regards,

Remco Verhoef

More information about the VIM mailing list