[VIM] [OSVDB Mods] OSVDB: Comment Awaiting Moderation

security curmudgeon jericho at attrition.org
Sat Feb 24 08:09:03 EST 2007

: A new comment is awaiting moderation. Please review:
:  Author: www.phppeanuts.org (
:  OSVDB-ID: 30397

:  Comment: Your description states "Currently, there are no known 
: upgrades, patches, or workarounds available to correct this 
: issue.&quot;<br /> <br />In fact a patch as well as patched versions 
: have been available for download since 16-11-2006. Unpatched versions 
: have not been available for download from our website since that date. 
: <br /><br />You forget to mentions that the vurnerability was in a 
: helper file of the unit testing tool, something that is normally not 
: placed on line and certainly not without password-controlled access. The 
: phppeanuts demonstration site was probably the only site that was 
: actually vurnerable to the public. <br /><br />The unit testing tool 
: does not use the framework for its own execution. The framework itself 
: has not been hacked. <br /><br />The information about the patch has 
: been on the homepage of our website since that date, which is several 
: days before your last update date. Why did you not ask us for 
: information about the vurnerability? Why did you not inform us about the 
: information you are publishing here?<br /><br />Please correct your 
: information.<br />

We forget to mention blah blah blah? We know NOTHING about your product 
other than what was originally posted to 
http://www.milw0rm.com/exploits/2778. The original point of disclosure 
says nothing about "unpatched versions", "helper files", "unit testing 
tools" or what was or was not placed online with or without 
password-controlled access.

We didn't ask you for details of this because we didn't disclose the 
vulnerability. We didn't ask you for details because we attempt to monitor 
over *100 HUNDRED VULNERABILITIES PUBLISHED DAILY* and don't have the time 
or resources to contact each vendor, hold their hand, change their diaper 
and gently stroke them as they write shoddy code and introduce 
vulnerabilities in their products, be it in their own web sites, demo web 
sites or downloadable packages.

We will correct our information when you get a fucking clue, treat us with 
the respect you think we owe you, and get over your pathetic egos when it 
comes to writing secure code.

Until then, whine like a bitch to milw0rm.com for posting this before we 
did, then wine to IBM (x-force), CVE (cve.mitre.org), Symantec (BID), 
Secunia and FR-SiRT, all commercial companies or government sponsored 
projects, before you go whining to the non-profit volunteer run OSVDB.org.

When you do that, or send us a *reasonable* mail that isn't accusing us of 
some wrong-doing, THEN we will consider updating our entry with 
information pertaining to this vulnerability.

Until then, kindly lick my asshole clean.

We clear?


More information about the VIM mailing list