[VIM] Vendor dispute - Green Minute - CVE-2006-1930

Steven M. Christey coley at mitre.org
Thu May 25 21:37:11 EDT 2006


It's Friday in some parts of the globe, so that means it's vendor
dispute day!

I did a very simple investigation of the report and concur with the
vendor that it seems like a non-sensitive SQL error.  (Note that the
vendor stated that it was OK to test the demo site at
http://hoito.org/en/greenminute).  r0t's followup in his blog comments
effectively concurs with the vendor.

Can anyone else do any investigation?

- Steve

======================================================
Name: CVE-2006-1930
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1930
Reference: MISC:http://pridels.blogspot.com/2006/04/green-minute-sql-inj-vuln.html

** DISPUTED **

Multiple SQL injection vulnerabilities in userscript.php in Green
Minute 1.0 and earlier allow remote attackers to execute arbitrary SQL
commands via the (1) huserid, (2) pituus, or (3) date parameters.
NOTE: this issue has been disputed by the vendor, saying "those
parameters mentioned ARE checked (preg_match) before they are used in
SQL-query...  If someone decided to add SQL-injection stuff to certain
parameter, they would see an error text, but only because _nothing_
was passed inside that parameter (to MySQL-database)."  As allowed by
the vendor, CVE investigated this report on 20060525 and found that
the demo site demonstrated a non-sensitive SQL error when given
standard SQL injection manipulations, so the vendor dispute might be
legitimate.




More information about the VIM mailing list