[VIM] Regarding Dragonfly Commerce CAN-2005-2220

Stuart Moore smoore at securityglobal.net
Mon Aug 1 23:44:24 EDT 2005

Hi to the VIM list!

Regarding the price modification vulnerability discovered by Diabolic 
Crab and documented in CVE number CAN-2005-2220, we have confirmed via 
testing that the flaw actually did exist, despite the vendor's initial 
denials.  We provided additional evidence to the vendor on July 25th. 
The vendor silently issued a fix on or about July 27, 2005.  If you 
inspect the affected scripts, you will see that the product no longer 
accepts pricing data from HTML forms.

Our alert is posted at:


We were not able to confirm or refute the other reported vulnerability 
(the SQL injection one, CVE number CAN-2005-2221) because we didn't try 
to.  The vendor was quite nasty about the whole thing, so I'm not going 
any further with it.  It would be nice to peek at the code (which 
Secunia offerred to, but the vendor declined) to determine conclusively 
why it would be or wouldn't be an issue.

What is disturbing about this whole process (other than the vendor's 
near-bizarre behavior) is that several web sites removed all references 
to this vulnerability when the vendor disputed the flaw and threatened 
legal action, including FrSIRT and US-CERT.



More information about the VIM mailing list