[VIM] Likely errors in PhpAuction report

security curmudgeon jericho at attrition.org
Wed Jul 13 02:45:48 EDT 2005

: Regarding Diabolic Crab's report on PhpAuction vulns, archived here:
:   SECTRACK:1014423
:   URL:http://securitytracker.com/id?1014423
: (CAN-2005-2252, CAN-2005-2253, and CAN-2005-2254 forthcoming)
: has a couple oddnesses about them.  Specifically, some URLs contain
: "/phpauction-gpl-2.5/" whereas others don't.
: There is further evidence from the raw error outputs that some, or all, 
: of these results were obtained by testing on a live web site.

He has tested live sites to find many of his previous vulnerabilities. I 
have called him on it in private mails and even got into a small spat with 
him with a vendor CC'd. =)

Some of his previous reports were just unclear. Others screamed 'live site 
only'. Some of them were redundant or had been previously disclosed. 

: Given this, there is some evidence that the "viewnews.php" and 
: "login.php" errors are specific to the live web site and *not* the 
: PhpAuction product; however the PhpAuction source code isn't available 
: so I can't be sure.
: Normally I might not comment on this but if I'm right, then a lot of 
: DB's didn't catch this.

I haven't created entries for these because I haven't had time to look at 
his info closely, something we learned is a must based on his past 
vulnerability disclosures.

More information about the VIM mailing list