[VIM] Re: Diabolic Crab history
Steven M. Christey
coley at mitre.org
Wed May 25 00:19:19 EDT 2005
I've noticed a pattern for some researchers who first start out
publishing everything under the sun, when it's raw and riddled with
mistakes. But some develop into solid researchers, possibly even at
the professional level. Whether Diabolic Crab goes this route will
take some time to find out.
I distinctly remember the DUportal example, once you mentioned it.
Looked like a raw dump of a brute force web app scanner. A CVE
content team member initially gave up and just said "many scripts" in
the draft description for the CAN, but I decided to dig deep into it
and came up with roughly the same results that you did.
The CVE read on DUportal (CAN-2005-1224) is:
Multiple SQL injection vulnerabilities in DUportal Pro 3.4 allow
remote attackers to execute arbitrary SQL commands via the (1)
nChannel parameter to default.asp, cat.asp, or detail.asp, (2) the
iChannel parameter to search.asp, default.asp, result.asp, cat.asp, or
detail.asp (3) the iCat parameter to cat.asp or detail.asp, (4) the
iData parameter to detail.asp or result.asp, the (5) POL_ID, (6)
POL_PARENT, (7) POL_CATEGORY, (8) CHA_NAME, or (9) CHA_ID parameters
to inc_vote.asp, or the (10) tfm_order or (11) tfm_orderby parameters
to toppages.asp, a different set of vulnerabilities than
(CAN-2005-1236 was created for a different version).
HTTP Response Splitting is a fairly complicated problem, so his
mis-statements in that department are understandable. As Amit Klein
pointed out in a reply, there was CRLF injection, so there *was* a
possible vector for response splitting, just not the example that
The tarinasworld example is already noted with a question mark in CVE
(CAN-2005-0994), but thanks for the info on storelocator_submit.asp
not being in ProductCart (CAN-2005-0995). I've since updated
More information about the VIM