[VIM] Regarding Dragonfly Commerce CAN-2005-2220
smoore at securityglobal.net
Mon Aug 1 23:44:24 EDT 2005
Hi to the VIM list!
Regarding the price modification vulnerability discovered by Diabolic
Crab and documented in CVE number CAN-2005-2220, we have confirmed via
testing that the flaw actually did exist, despite the vendor's initial
denials. We provided additional evidence to the vendor on July 25th.
The vendor silently issued a fix on or about July 27, 2005. If you
inspect the affected scripts, you will see that the product no longer
accepts pricing data from HTML forms.
Our alert is posted at:
We were not able to confirm or refute the other reported vulnerability
(the SQL injection one, CVE number CAN-2005-2221) because we didn't try
to. The vendor was quite nasty about the whole thing, so I'm not going
any further with it. It would be nice to peek at the code (which
Secunia offerred to, but the vendor declined) to determine conclusively
why it would be or wouldn't be an issue.
What is disturbing about this whole process (other than the vendor's
near-bizarre behavior) is that several web sites removed all references
to this vulnerability when the vendor disputed the flaw and threatened
legal action, including FrSIRT and US-CERT.
More information about the VIM