[VIM] Concurrence with vendor dispute - LiteCommerce SQL injection

Steven M. Christey coley at linus.mitre.org
Tue Feb 28 22:00:25 EST 2006


I see that some vuln DBs have deleted their entries for the claimed
LiteCommerce SQL injection issue by Diabolic Crab.

After some more prompting from the vendor, I've looked into the problem
some more.  My investigations were, by necessity, minimal since I do not
have the product.  With those restrictions, I was unable to verify
Diabolic Crab's claims, beyond triggering a SQL syntax error that did not
include path disclosure or any system-specific information leak.

With that, I've decided to treat CVE-2005-1032 as an issue to be slated
for a "REJECT".

Note that Secunia pointed to a news item titled "LITECOMMERCE SECURITY
BULLETIN #20050411" which seems to give a public explanation from the
vendor:

  http://www.litecommerce.com/news.html

Note - during my investigations, I ran across
http://www.securiteam.com/unixfocus/5TP0E0KFFA.html , which has an
alternate angle that smells like eval injection or something similar.

- Steve


---------- Forwarded message ----------
Date: Tue, 28 Feb 2006 21:49:34 -0500 (EST)
From: Steven M. Christey <coley at rcf-smtp.mitre.org>
To: Litecommerce Sales
Cc: cve at mitre.org
Subject: Re: CVE-2005-1032


Hello,

I have investigated this issue a little further, and it does appear that
while your product might generate SQL syntax errors that reveal portions
of the underlying database fields and tables, it does not leak sensitive
information related to the actual system.  Therefore this does not satisfy
CVE's definition of a vulnerability or an exposure.

The CVE description has been modified as below.  I have weakened the
description and emphasized that the researcher's original claims could not
be verified.


Regards,
Steve Christey
CVE Editor



======================================================
Name: CVE-2005-1032
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1032
Reference: BUGTRAQ:20050406 LiteCommerce Sql injection and reveling errors vulnerability
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111281524405632&w=2
Reference: MISC:http://digitalparadox.org/advisories/lico.txt
Reference: BID:13044
Reference: URL:http://www.securityfocus.com/bid/13044
Reference: OSVDB:15314
Reference: URL:http://www.osvdb.org/15314
Reference: SECUNIA:14857
Reference: URL:http://secunia.com/advisories/14857
Reference: XF:litecommerce-cart-sql-injection(19998)
Reference: URL:http://xforce.iss.net/xforce/xfdb/19998

** REJECT **

cart.php in LiteCommerce might allow remote attackers to obtain
sensitive information via invalid (1) category_id or (2) product_id
parameters.  NOTE: this issue was originally claimed to be due to SQL
injection, but the original researcher is known to be frequently
inaccurate with respect to bug type and severity.  The vendor has
disputed this issue, saying "These reports are credited to malicious
person we refused to hire. We have not taken legal action against him
only because he is located in India.  The vulnerabilites reported can
not be reproduced, hence information you provide is contrary to fact."
Further investigation by CVE personnel shows that an invalid SQL
syntax error could be generated, but it only reveals portions of
underlying database structure, and it does not appear to lead to path
disclosure.  Therefore, this issue is not a vulnerability or an
exposure, and it probably should be REJECTED.




More information about the VIM mailing list