[VIM] Regarding Dragonfly Commerce CAN-2005-2220

Stuart Moore smoore at securityglobal.net
Thu Aug 4 07:33:51 EDT 2005

Hi.  The public threats have been removed from the vendor's web site, 
but we've got copies.  I can send it if you'd like.  But I don't really 
want to publicly take this vendor to task, as I believe they are very 
small and that it was just one person who went overboard.  It might 
someday make a nice story (with the vendor's name removed) of a "how not 
to respond" guide.


security curmudgeon wrote:
> : Hi to the VIM list!
> Hey Stuart, welcome to VIM =)
> : Regarding the price modification vulnerability discovered by Diabolic 
> : Crab and documented in CVE number CAN-2005-2220, we have confirmed via 
> : testing that the flaw actually did exist, despite the vendor's initial 
> : denials.  We provided additional evidence to the vendor on July 25th. 
> : The vendor silently issued a fix on or about July 27, 2005.  If you 
> : inspect the affected scripts, you will see that the product no longer 
> : accepts pricing data from HTML forms.
> Very interesting. I still have this in the OSVDB NDM queue (where stuff 
> lives until we say "this is legit"), with a 'disputed' tag next to it. 
> Based on your findings I will work on this later today. I'll probably push 
> the SQL injection to new, despite the vendor response given they were 
> wrong on one account and Dcrab has a ~ 50% record on being right.
> : What is disturbing about this whole process (other than the vendor's 
> : near-bizarre behavior) is that several web sites removed all references 
> : to this vulnerability when the vendor disputed the flaw and threatened 
> : legal action, including FrSIRT and US-CERT.
> Is there any public reference (or private) of them threatening legal 
> action? I think I read the initial denial but it was not public and didn't 
> include a threat.
> If they sent one to you, could you share it off list? VIM is archived 
> publicly as an FYI =)
> .b

Stuart Moore
SecurityGlobal.net LLC
smoore at securityglobal.net
+1 301 495 5930 voice
+1 413 691 4346 fax

More information about the VIM mailing list