[VIM] discuss: MaxWebPortal as an example

security curmudgeon jericho at attrition.org
Sat May 14 06:52:13 EDT 2005

Assuming that all of the vulnerabilities disclosed are accurate (for the 
sake of this discussion), consider:

Apr 27: Soroush Dalili finds 12 SQL injections in various .asp 

May 11: Soroush Dalili finds 14 SQL injections in various .asp

May 11: Zinho finds 1 XSS and 5 SQL injections in various .asp

All of these vulnerabilities are found in the same product, MaxWebPortal. 
There are no duplicates, meaning a total of 31 seperate scripts were found 
vulnerable to SQL injection. It is safe to assume that both researchers 
installed it or were testing a full distribution (based on past 
advisories, if Zinho tested it on a live site it would not surprise me).

The question to consider is, why didn't either of the researchers find all 
of these injections? Why was there 14 days between Soroush's two groups?

Any speculation as to why we would see such a disclosure pattern?

More information about the VIM mailing list