[VIM] Vendor ACK for MyQuiz
Steven M. Christey
coley at linus.mitre.org
Thu Feb 9 23:56:11 EST 2006
alex at evuln said vendor fixed, but the acknowledgement was too vague, so I
double-checked with the vendor.
vendor responded within minutes of my initial request.
---------- Forwarded message ----------
Date: Thu, 09 Feb 2006 22:48:20 -0600
From: Dale Ray
To: coley at mitre.org
Subject: Re: Security vulnerability in MyQuiz
To the best of my knowledge YES the issue is fixed. I did this using
whitelist data entry testing. If any character that is not valid input is
in the URL calling the script the script aborts with an error message.
But - the only way for you to be sure of this is for you to test the
script yourself. You should never trust anything you download from the
*********** START QUOTE ***********
> On 2/9/2006 at 11:34 PM coley at mitre.org wrote:
>Somebody claiming to be Steve Christey wrote:
>I am a computer security professional for the CVE project, which is
>sponsored by the Department of Homeland Security to assign standard
>identifiers for security vulnerabilities (http://www.us-cert.gov/cve/,
>Recently, some security vulnerability information about your product
>was posted here:
>The researcher says that you fixed the issue in version 2.0, but your
>acknowledgement does not provide enough details to be sure that you are
>fixing the vulnerability identified above.
>So... did 2.0 fix the issue above?
>Principal Information Security Engineer
>The MITRE Corporation
*********** END QUOTE ***********
More information about the VIM