[VIM] Regarding Dragonfly Commerce CAN-2005-2220
jericho at attrition.org
Tue Aug 2 07:47:41 EDT 2005
: Hi to the VIM list!
Hey Stuart, welcome to VIM =)
: Regarding the price modification vulnerability discovered by Diabolic
: Crab and documented in CVE number CAN-2005-2220, we have confirmed via
: testing that the flaw actually did exist, despite the vendor's initial
: denials. We provided additional evidence to the vendor on July 25th.
: The vendor silently issued a fix on or about July 27, 2005. If you
: inspect the affected scripts, you will see that the product no longer
: accepts pricing data from HTML forms.
Very interesting. I still have this in the OSVDB NDM queue (where stuff
lives until we say "this is legit"), with a 'disputed' tag next to it.
Based on your findings I will work on this later today. I'll probably push
the SQL injection to new, despite the vendor response given they were
wrong on one account and Dcrab has a ~ 50% record on being right.
: What is disturbing about this whole process (other than the vendor's
: near-bizarre behavior) is that several web sites removed all references
: to this vulnerability when the vendor disputed the flaw and threatened
: legal action, including FrSIRT and US-CERT.
Is there any public reference (or private) of them threatening legal
action? I think I read the initial denial but it was not public and didn't
include a threat.
If they sent one to you, could you share it off list? VIM is archived
publicly as an FYI =)
More information about the VIM