[VIM] Possible bogus old vuln notification - PunkBuster

Steven M. Christey coley at mitre.org
Sat Aug 13 16:13:32 EDT 2005


Refs:

   BUGTRAQ:20040219 PunkBuster SQL Injection Attack
   URL:http://www.securityfocus.com/archive/1/354453
   BID:9697
   URL:http://www.securityfocus.com/bid/9697
   SECTRACK:1009145
   URL:http://securitytracker.com/id?1009145
   XF:punkbuster-login-sql-injection(15267)
   URL:http://xforce.iss.net/xforce/xfdb/15267

(heavily annotated CVE forthcoming)

The researcher, "Just1n T1mberlake," makes several questionable claims
in this report:

1) the reference to http://pbdb.sourceforge.net is actually for
   "PB-DB", which is the PunkBuster Screenshot Database, apparently a
   different product than "PunkBuster"

2) The download of Alpha 6 shows no reference to "Punky Brewster",
   based on a case-insensitive grep of "punky" in the download, and a
   Google search does not suggest any relationship between
   "punkbuster" and "punky brewster"

3) The discloser claimed notification of a particular e-mail address
   in 2004, but (a) the PB-DB home page does not have this address,
   and (b) the last release was in October 2001, suggesting an
   abandoned project.

4) The following source code is claimed to be affected:

     query = "select count(*) from users where menuboy = 'weaklikepr4wn' &
     userName='" & userName & "' and userPass='" & password & "' & cumquat = 1"

   However, I searched the source for "query", "select", "menuboy",
   and "username" but did not find this source code.


In short, it is highly likely that this post was bogus.


- Steve


More information about the VIM mailing list