[VIM] Vulnerability fixed in E-gold (fwd)

security curmudgeon jericho at attrition.org
Thu Mar 16 06:39:06 EST 2006


I know the VDB's don't track site specific bugs for the most part, but 
this is certainly interesting for many reasons.

While OSVDB doesn't currently track site specific issues, I personally 
keep notes/info on them. We have discussed various ways to integrate the 
information into the database, so the information is available in one 
place, but without really mixing it into the main database. We all agree 
that keeping it seperate is required, but we also agree that not counting 
or tracking vulnerabilities in online services that millions of people use 
and rely on isn't ideal. Vulns in Google, Gmail, Yahoo and others are just 
as bad as vulns in downloaded apps really.

Has anyone else considered doing this in any fashion? What are the pros 
and cons in your eyes?

---------- Forwarded message ----------
From: 3APA3A <3APA3A at security.nnov.ru>
To: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com
Date: Thu, 16 Mar 2006 01:17:49 +0300
Subject: Vulnerability fixed in E-gold

Hello full-disclosure, bugtraq

   Netsling (shurik.f_(at)_gmail.com) reported vulnerability in E-gold.

   Vulnerability was reported and fixed in E-gold partner payment script.
   It  was  possible  to  transfer  money  from  E-gold  account  without
   knowledge of AccounID/PassPhrase if user is logged on.

   Vulnerability details can be found at
   http://bhunter.awardspace.com/vuln-en.html

   The most interesting thing here is E-gold reaction:

   1. Vendor fixed vulnerability within 24 hours.
   2. Vendor decided to reward researcher without any request from his
   side.
   3. Vendor gave permission to publish vulnerability information.

   Just ideal. I hope Microsoft to read this.

   Vulnerability  was  found  and  reported  to  E-gold  by nestling, Web
   software  developer  from  Russia. Please contact him directly, if you
   have  any questions, because I was only asked to translate and publish
   this information.


-- 
/3APA3A
http://www.security.nnov.ru/


More information about the VIM mailing list