[VIM] Concurrence with vendor dispute - LiteCommerce SQL injection
Steven M. Christey
coley at linus.mitre.org
Tue Feb 28 22:00:25 EST 2006
I see that some vuln DBs have deleted their entries for the claimed
LiteCommerce SQL injection issue by Diabolic Crab.
After some more prompting from the vendor, I've looked into the problem
some more. My investigations were, by necessity, minimal since I do not
have the product. With those restrictions, I was unable to verify
Diabolic Crab's claims, beyond triggering a SQL syntax error that did not
include path disclosure or any system-specific information leak.
With that, I've decided to treat CVE-2005-1032 as an issue to be slated
for a "REJECT".
Note that Secunia pointed to a news item titled "LITECOMMERCE SECURITY
BULLETIN #20050411" which seems to give a public explanation from the
Note - during my investigations, I ran across
http://www.securiteam.com/unixfocus/5TP0E0KFFA.html , which has an
alternate angle that smells like eval injection or something similar.
---------- Forwarded message ----------
Date: Tue, 28 Feb 2006 21:49:34 -0500 (EST)
From: Steven M. Christey <coley at rcf-smtp.mitre.org>
To: Litecommerce Sales
Cc: cve at mitre.org
Subject: Re: CVE-2005-1032
I have investigated this issue a little further, and it does appear that
while your product might generate SQL syntax errors that reveal portions
of the underlying database fields and tables, it does not leak sensitive
information related to the actual system. Therefore this does not satisfy
CVE's definition of a vulnerability or an exposure.
The CVE description has been modified as below. I have weakened the
description and emphasized that the researcher's original claims could not
Reference: BUGTRAQ:20050406 LiteCommerce Sql injection and reveling errors vulnerability
** REJECT **
cart.php in LiteCommerce might allow remote attackers to obtain
sensitive information via invalid (1) category_id or (2) product_id
parameters. NOTE: this issue was originally claimed to be due to SQL
injection, but the original researcher is known to be frequently
inaccurate with respect to bug type and severity. The vendor has
disputed this issue, saying "These reports are credited to malicious
person we refused to hire. We have not taken legal action against him
only because he is located in India. The vulnerabilites reported can
not be reproduced, hence information you provide is contrary to fact."
Further investigation by CVE personnel shows that an invalid SQL
syntax error could be generated, but it only reveals portions of
underlying database structure, and it does not appear to lead to path
disclosure. Therefore, this issue is not a vulnerability or an
exposure, and it probably should be REJECTED.
More information about the VIM