[VIM] Vendor dispute - CVE-2005-4486 - Quantum Art QP7.Enterprise
Steven M. Christey
coley at mitre.org
Mon Feb 27 20:26:30 EST 2006
(r0t: the gift that keeps on giving)
The vendor, Quantum Art, notified CVE (through NVD) that "neither
p_news_id, news_and_events_new.asp not news.asp are not the part of
our product, but the ASP pages that possible were created on the base
of our product."
At the vendor's implicit request for proof, I examined the vendor's
public web site. A demo page was not available, but the main site had
the reported URLs. So, r0t's original report might have come from
testing the live site.
I performed a cursory, non-invasive analysis of the URLs originally
reported by r0t. news_and_events_new.asp generated various invalid
SQL syntax errors based on some common manipulations of the p_news_id
parameter, although "5'" did not work as might have been suggested by
I did not see anything in news.asp.
I'm waiting for the vendor's response, but at this point I'm marking
it as disputed with insufficient proof either way.
** DISPUTED **
SQL injection vulnerability in Quantum Art QP7.Enterprise (formerly
Q-Publishing) allows remote attackers to execute arbitrary SQL
commands via the p_news_id parameter to (1) news_and_events_new.asp
and (2) news.asp. NOTE: on 20060227, the vendor disputed the accuracy
of this report, saying that the p_news_id, news_and_events_new.asp,
and news.asp are not specifically part of their product, although they
could be dynamically generated through use of the product. Some
investigation by CVE suggests evidence that the
news_and_events_new.asp page has at least a forced invalid SQL syntax
error, but this could not be repeated for news.asp.
More information about the VIM