[VIM] Vulnerability fixed in E-gold (fwd)
jericho at attrition.org
Thu Mar 16 06:39:06 EST 2006
I know the VDB's don't track site specific bugs for the most part, but
this is certainly interesting for many reasons.
While OSVDB doesn't currently track site specific issues, I personally
keep notes/info on them. We have discussed various ways to integrate the
information into the database, so the information is available in one
place, but without really mixing it into the main database. We all agree
that keeping it seperate is required, but we also agree that not counting
or tracking vulnerabilities in online services that millions of people use
and rely on isn't ideal. Vulns in Google, Gmail, Yahoo and others are just
as bad as vulns in downloaded apps really.
Has anyone else considered doing this in any fashion? What are the pros
and cons in your eyes?
---------- Forwarded message ----------
From: 3APA3A <3APA3A at security.nnov.ru>
To: full-disclosure at lists.grok.org.uk, bugtraq at securityfocus.com
Date: Thu, 16 Mar 2006 01:17:49 +0300
Subject: Vulnerability fixed in E-gold
Hello full-disclosure, bugtraq
Netsling (shurik.f_(at)_gmail.com) reported vulnerability in E-gold.
Vulnerability was reported and fixed in E-gold partner payment script.
It was possible to transfer money from E-gold account without
knowledge of AccounID/PassPhrase if user is logged on.
Vulnerability details can be found at
The most interesting thing here is E-gold reaction:
1. Vendor fixed vulnerability within 24 hours.
2. Vendor decided to reward researcher without any request from his
3. Vendor gave permission to publish vulnerability information.
Just ideal. I hope Microsoft to read this.
Vulnerability was found and reported to E-gold by nestling, Web
software developer from Russia. Please contact him directly, if you
have any questions, because I was only asked to translate and publish
More information about the VIM