[VIM] Vendor dispute / clarification for CVE-2005-4515 (WebDB)
mattmurphy at kc.rr.com
Tue Mar 7 16:38:24 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Steven M. Christey wrote:
> FYI. My read is that the reported vulnerability was in a single
> customized web site. Also, from the sound of things, the software is not
> directly distributed to customers, rather it is controlled by the vendor.
My read is different. I read it as "we added code [to the global
codebase] so that one client could test his/her use of the software."
This makes more sense to me when combined with the "No... patch is
required... all clients use a common code library" statement.
Bottom line... it's about as clear as mud.
> - Steve
> ---------- Forwarded message ----------
> Date: Tue, 7 Mar 2006 21:03:28 -0000
> From: Lois Software
> To: cve at mitre.org
> Subject: CVE-2005-4515 (under review)
> WebDB is a generic online database system used by many of the clients of
> Lois Software. The flaw that was identified was some code that was added for
> a client to do some testing of his system and only certain safe commands
> were allowed. This code has now been removed and it is not now possible to
> use SQL queries as part of the query string.
> No installation or patch is required All clients use a common code library
> and have their own front end and databases and connections. So as soon as a
> change / upgrade / enhancement is made to the code, all users of the
> software begin to use the latest changes immediately.
> A message has also been put on the original posting site.
> Many Thanks
> Lois Software - Bristol - England
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."
-- Michael Holstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.attrition.org/pipermail/vim/attachments/20060307/f0bcbb2d/attachment-0001.bin
More information about the VIM