[VIM] Re: [Change Request] 15738 WebApp E-Cart index.cgi art Parameter Arbitrary Command Execution

security curmudgeon jericho at attrition.org
Sun May 29 16:29:56 EDT 2005


Hi Brad,

: The link: http://www.osvdb.org/displayvuln.php?osvdb_id=15738 falsely 
: states that the Nasrani Software Foundation is the vendor of the 
: software mentioned with a vulnerability.  This is inaccurate and we 
: would appreciate that the information on your Site be updated accurately 
: as soon as possible.  The software is connected with http://web-app.org/ 
: instead of the Nasrani Software Foundation.  The Nasrani Software 
: Foundation is the vendor of a PHP program called WebApp PHP, but not the 
: Perl version associated with the vulnerable software mentioned in your 
: security notice.

The original disclosure point on this issue was:
http://archives.neohapsis.com/archives/bugtraq/2005-04/0388.html

The vulnerability researcher says the vendor is located at:
http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi

When visiting the vendor link, I am redirected to:
http://www.nasranisoft.org/en/

The researcher says the vulnerability is in "E-Cart 2004 v1.1". 
Web-app.org doesn't appear to have a product called that, and their 
product is at version 0.9.9.2.1. The Nasrani page shows WebApp PHP Version 
1.0 as the current version.

So that leaves me wondering, who exactly created E-Cart 2004 v1.1 if not 
Web-APP or Nasrani =)

I am removing Nasrani from OSVDb 15738 for now while I try to research who 
the vendor is. Thanks for bringing this to our attention!

Brian
OSVDB.org


More information about the VIM mailing list