[VIM] discuss: MaxWebPortal as an example
jericho at attrition.org
Sat May 14 06:52:13 EDT 2005
Assuming that all of the vulnerabilities disclosed are accurate (for the
sake of this discussion), consider:
Apr 27: Soroush Dalili finds 12 SQL injections in various .asp
May 11: Soroush Dalili finds 14 SQL injections in various .asp
May 11: Zinho finds 1 XSS and 5 SQL injections in various .asp
All of these vulnerabilities are found in the same product, MaxWebPortal.
There are no duplicates, meaning a total of 31 seperate scripts were found
vulnerable to SQL injection. It is safe to assume that both researchers
installed it or were testing a full distribution (based on past
advisories, if Zinho tested it on a live site it would not surprise me).
The question to consider is, why didn't either of the researchers find all
of these injections? Why was there 14 days between Soroush's two groups?
Any speculation as to why we would see such a disclosure pattern?
More information about the VIM