[VIM] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4495 (fwd)

Steven M. Christey coley at linus.mitre.org
Wed Jan 18 00:53:24 EST 2006

---------- Forwarded message ----------
Date: Wed, 18 Jan 2006 00:36:40 -0500 (EST)
From: Steven M. Christey <coley at rcf-smtp.mitre.org>
To: Thaddeus Wakefield Batt <thaddeus at spiremedia.com>
Cc: cve at mitre.org, matthew at spiremedia.com, jlopez at spiremedia.com
Subject: Re: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4495


At your request to validate the issue, consider the following URL:


This returns an extensive set of error messages that show an invalid SQL
query resulted from the invalid cid parameter, including a leak of the
full pathname of the web server.

We will modify the description to state that there is a possibility that
this issue is not SQL injection, but still a failure to properly check for
valid inputs that can result in an information leak of a pathname which,
while not as severe as arbitrary code execution, is a well-recognized
security concern.

In addition, it appears that SpireMedia offers a service, more than a
specific software package that customers can buy and install by
themselves.  If this is the case, then it would be outside the normal
scope of CVE and we would note it explicitly.

If we have been in error, or if further clarification is needed, then we
will gladly post any additional corrections.

I'm sorry for whatever inconvenience this has caused and hope to resolve
the discrepancy to our mutual satisfaction.

Steve Christey
CVE Editor

On Tue, 17 Jan 2006, Thaddeus Wakefield Batt wrote:

> You have published a security related issue regarding our software:
> "SpireMedia CMS is prone to an SQL injection vulnerability. This issue is
> due to a failure in the application to properly sanitize user-supplied
> input before using it in an SQL query. "
> This information is incorrect, unproven, and potentially slanderous.
> When confronted with an invalid cid, the spiremedia cms will either
> display a
>            Oops! We could not find the page you are trying to access.
> if the cid presented is an integer, or a
>                Invalid data foobar for CFSQLTYPE CF_SQL_INTEGER.
> if the cid presented is a string.
> Please either validate or remove this information from your site
> immediately.
> Thanks,
> --thad
> thaddeus wakefield batt, cto/coo
> inspired technology. inspired results.
> http://www.spiremedia.com/ :|:|: vox: (303) 620-9974
> fax: (303) 629-6385 :|:|: icq: 229911936

More information about the VIM mailing list