[VIM] vendor dispute: VCS
jericho at attrition.org
Fri Mar 10 07:30:19 EST 2006
---------- Forwarded message ----------
From: VCS Service
To: moderators at osvdb.org
Date: Thu, 9 Mar 2006 22:32:05 -0600
Subject: [OSVDB Mods] FW: SQL Injection Vulnerability
You posted a vulnerability on your site here with our application:
I responded to the original posted weeks ago and never heard back (see my
message below). We have explained that this vulnerability has been tested
and designed against. We would be very interested in seeing any proof that
this can be accomplished as has been stated.
As developers I am not egotistical enough to say that it is outside the
realm of possibility, it is just that without proof this is no more then an
accusation. We have made significant efforts to protect against this type
of vulnerability and your post is harmful to our company's reputation so we
must ask that you (or the submitter) prove that this is possible with proof
or remove this hurtful innuendo to our reputation.
VCS = Simple + Sensible + Supportable
Web-Based Project Management Software
From: VCS Service
Sent: Tuesday, February 14, 2006 6:30 AM
To: Remco Verhoef (Intershare B.V.)
Subject: RE: SQL Injection Vulnerability
Thank you for writing. We have a behind the scenes complex state management
State (server side) that protects against the type of SQL injection you
describe. We have tested for many of the cases and have not found it to be
an issue. We also compare with proprietary internal fields for the records
to be sure.
Were you able to modify or change another record then the one you were
navigating with through the querysting? Please let us know how you
accomplished that and I would be most grateful to you.
VCS Support Team
From: Remco Verhoef (Intershare B.V.)
Sent: Tuesday, February 14, 2006 4:57 AM
To: information at vcsonline.com
Subject: SQL Injection Vulnerability
While browsing through the demo, I encountered the following possible sql
injection flaw. When this flaw is abused there are several possibilities for
deleting, stealing data, installing trojans, depending on the configuration
of the database.
Returns the error:
Microsoft OLE DB Provider for Oracle (0x80040E14)
ORA-00933: SQL command not properly ended
Which indicates that the parameter UpdateID0 is not properly sanitized
before executing it at the database.
Please correct this issue.
More information about the VIM