[VIM] Timecan CMS = in house service, not a sellable product
jericho at attrition.org
Fri Jan 27 10:19:42 EST 2006
---------- Forwarded message ----------
From: Markku Alikoski <markku.alikoski at idbbn.fi>
To: 'security curmudgeon' <jericho at attrition.org>
Date: Fri, 27 Jan 2006 10:38:23 +0200
Subject: RE: [OSVDB Mods] About reported vulnerability
that's the case - Timecan CMS is an in-house production tool.
All installed versions of Timecan CMS are running on servers maintained by
Idea Development ID is an privately owned B2B advertising agency and we are
providing contentent management and
web campaigning as an additional service for our clients.
Timecan CMS is a tool I have developed to:
-allow our no-tech creative staff set up web sites fast
-produce web metrics and reports that make sense for our marketing
-execute and follow print, banner and e-mail campaigns for our B2B
The mechanism how we got reported on several security sites is unfamiliar to
but who ever it was, he / she was right - there was a possibility for
-there are only a handfull of query parameters that the system is
-all querying is handled by a single function
it was relatively easy to patch the system by validating the query string
input before processing.
Idea Development ID Ltd.
Aurakatu 3 B
Mobile +358 40 571 8172
Phone +358 2 8145 0707
markku.alikoski at idbbn.fi
From: security curmudgeon [mailto:jericho at attrition.org]
Sent: Friday, January 27, 2006 5:51 AM
To: Markku Alikoski
Cc: moderators at osvdb.org
Subject: Re: [OSVDB Mods] About reported vulnerability
: concerning reported vulnerability http://www.osvdb.org/22252
: An upgrade exists and is already installed on all running versions of
: Timecan CMS.
Can you provide a little more information? Your wording makes it sound like
the CMS has an auto-update feature, or all the Timecan CMS sites are managed
by you, else how would you know that all running versions were upgraded. Is
that the case? If you could share a little more information about your
product I would appreciate it.
More information about the VIM