[VIM] vendor ack/fix: 25523: Squirrelcart cart_content.php cart_isp_root Variable Remote File Inclusion
jericho at attrition.org
Wed May 31 07:14:54 EDT 2006
---------- Forwarded message ----------
From: Lighthouse Development - Sales
To: moderators at osvdb.org
Date: Fri, 19 May 2006 16:15:20 -0400
Subject: [OSVDB Mods] [Change Request] 25523: Squirrelcart cart_content.php
cart_isp_root Variable Remote File Inclusion
I am the developer for Squirrelcart shopping cart software. I have a
question regarding vulnerability 25523, and an update.
Why do you take information provided to you by a hacker as fact and post it
on your website, give him "credit", and then not take the time to at least
contact the vendor to alert them?
This is the second time in the past 2 years that this has happened to us and
not a single one of the sites supposedly concerned about security took the
time to contact us. While you were so kindly contacted by this hacker
regarding this critical security flaw, we received notification after the
fact by a customer that was subsequently hacked using information provided
by one of these security sites.
Please update your listing. This is incorrect "Currently, there are no known
upgrades, patches, or workarounds available to correct this issue."
There has been an update available on our website to patch this since 5/16.
In addition, the latest version 2.2.3 is not affected.
More information about the VIM