[VIM] fake vulnerability extortion?

security curmudgeon jericho at attrition.org
Fri Feb 17 00:51:54 EST 2006


Hi everyone!
the January 23 me was done work on revealing the criticality in
forum vBulltin(3.0.7 - 3.5.3) and IPB(2.0.0 - 2.1.4).
The Criticality were find nearly similar nature. Later I have tested them 
on rest version and they have in the same way operated. After two three 
days were written two exploits under these two forums. Eksploit allows to 
get web - shell on server where is installed forum. So much for that I can 
say on this cause. Letter this has wrote therefor that developers of these 
programme products knew that in them there are mistakes for attention.


> No, I nobody has not reported on this criticality. Let all read
> message on securityfocus.com. poc will possible be on sale only
> narrow circle of the people from russian hacker

So your exploit is not being reported to the vendors and you are going to 
sell this?


While we take all security reports seriously we have investigated this 
report and have been unable to find any sort of exploit suggested by the 

After contacting the author for more information the response we received 
was that a fee would have to be paid for more information. As a company we 
refuse to be coerced into paying a ransom given that the author has not 
been able to demonstrate that the vulnerability exists, much less a 
willingness to work with us to ensure a secure product for end users.


I sent him an email about his bugs and exploits.
He asked me to add him in his ICQ.
I told him I dont have and I gave him my msn and he added me.
He asked me if I want the exploits I have to pay 500$.
I said how and he gave me a site for transfring money.
I told him I cant. I said if you want me to transfer money by paypal I 
will do.Then, he said yes. I told him do you have an account and he 
replied No. I opend an account for him, new account and gave him the 
password.He asked me to send money. I did :)
I sent him 500$. Then he disappeared and he gave me nothing.
He thinks he took 500$ :)
He doesnt know anything and he is from russia and his langauge is broken.
This is the result:
We got a new king of rippers but this time by caiming that the have new 
exploits and they will sell it.

More information about the VIM mailing list