[VIM] Question on BookReview vulns (fwd)

security curmudgeon jericho at attrition.org
Wed Jun 1 07:39:10 EDT 2005

: FYI...  lostmon says he's a data mangler for OSVDB... any inside scoop 
: from the OSVDB people?

Off the record.. 

It is clear as you can see, that he tests live sites to find 
vulnerabilites often times. This is something that many of the core OSVDB 
folks do *not* approve of at all. The fact that he does this and 
prominantly announces his involvement in OSVDB is very worisome to a few 
of us. It is getting to the point where I think one of us needs to have a 
serious talk with him.

Usually I catch his stuff and figure out the real vendor, determine that I 
can't figure it out, or just don't add it without questioning him further. 
And let me tell you, questioning him can be painful as his English is not 
very good.

For BookReview, the bottom of the page shows what you found:

: Google search suggests that there is a product called "BookReview" by 
: somebody named W.M.R. Simpson, apparently a Christian software 
: developer.  His URL is at http://www.justwilliams.com/.
: However, I can't find any information on "BookReview" on that site, 
: either.

We have the vendor URL wrong on our entries, which I will fix. But my 
initial digging suggested it was a product you could download and I didn't 
follow through when making the entries.

: Can "BookReview" be downloaded and used by other people?  If so, do you 
: know where that information is?
: I am asking because it seems like "BookReview" is custom software for 
: live web site, but it is not generally available to the public, and CVE 
: only covers vulnerabilities in publicly available software.

Let me know how he replies and I can translate if you need =) I've gotten 
fairly proficient at speaking Lostmonese.


More information about the VIM mailing list