[VIM] Possible bogus old vuln notification - PunkBuster
Steven M. Christey
coley at mitre.org
Sat Aug 13 16:13:32 EDT 2005
BUGTRAQ:20040219 PunkBuster SQL Injection Attack
(heavily annotated CVE forthcoming)
The researcher, "Just1n T1mberlake," makes several questionable claims
in this report:
1) the reference to http://pbdb.sourceforge.net is actually for
"PB-DB", which is the PunkBuster Screenshot Database, apparently a
different product than "PunkBuster"
2) The download of Alpha 6 shows no reference to "Punky Brewster",
based on a case-insensitive grep of "punky" in the download, and a
Google search does not suggest any relationship between
"punkbuster" and "punky brewster"
3) The discloser claimed notification of a particular e-mail address
in 2004, but (a) the PB-DB home page does not have this address,
and (b) the last release was in October 2001, suggesting an
4) The following source code is claimed to be affected:
query = "select count(*) from users where menuboy = 'weaklikepr4wn' &
userName='" & userName & "' and userPass='" & password & "' & cumquat = 1"
However, I searched the source for "query", "select", "menuboy",
and "username" but did not find this source code.
In short, it is highly likely that this post was bogus.
More information about the VIM