[VIM] Regarding Dragonfly Commerce CAN-2005-2220

security curmudgeon jericho at attrition.org
Tue Aug 2 07:47:41 EDT 2005


: Hi to the VIM list!

Hey Stuart, welcome to VIM =)

: Regarding the price modification vulnerability discovered by Diabolic 
: Crab and documented in CVE number CAN-2005-2220, we have confirmed via 
: testing that the flaw actually did exist, despite the vendor's initial 
: denials.  We provided additional evidence to the vendor on July 25th. 
: The vendor silently issued a fix on or about July 27, 2005.  If you 
: inspect the affected scripts, you will see that the product no longer 
: accepts pricing data from HTML forms.

Very interesting. I still have this in the OSVDB NDM queue (where stuff 
lives until we say "this is legit"), with a 'disputed' tag next to it. 
Based on your findings I will work on this later today. I'll probably push 
the SQL injection to new, despite the vendor response given they were 
wrong on one account and Dcrab has a ~ 50% record on being right.

: What is disturbing about this whole process (other than the vendor's 
: near-bizarre behavior) is that several web sites removed all references 
: to this vulnerability when the vendor disputed the flaw and threatened 
: legal action, including FrSIRT and US-CERT.

Is there any public reference (or private) of them threatening legal 
action? I think I read the initial denial but it was not public and didn't 
include a threat.

If they sent one to you, could you share it off list? VIM is archived 
publicly as an FYI =)

.b


More information about the VIM mailing list