[VIM] [OSVDB Mods] OSVDB: Comment Awaiting Moderation
jericho at attrition.org
Sat Feb 24 08:09:03 EST 2007
: A new comment is awaiting moderation. Please review:
: Author: www.phppeanuts.org (220.127.116.11)
: OSVDB-ID: 30397
: Comment: Your description states "Currently, there are no known
: upgrades, patches, or workarounds available to correct this
: issue."<br /> <br />In fact a patch as well as patched versions
: have been available for download since 16-11-2006. Unpatched versions
: have not been available for download from our website since that date.
: <br /><br />You forget to mentions that the vurnerability was in a
: helper file of the unit testing tool, something that is normally not
: placed on line and certainly not without password-controlled access. The
: phppeanuts demonstration site was probably the only site that was
: actually vurnerable to the public. <br /><br />The unit testing tool
: does not use the framework for its own execution. The framework itself
: has not been hacked. <br /><br />The information about the patch has
: been on the homepage of our website since that date, which is several
: days before your last update date. Why did you not ask us for
: information about the vurnerability? Why did you not inform us about the
: information you are publishing here?<br /><br />Please correct your
: information.<br />
We forget to mention blah blah blah? We know NOTHING about your product
other than what was originally posted to
http://www.milw0rm.com/exploits/2778. The original point of disclosure
says nothing about "unpatched versions", "helper files", "unit testing
tools" or what was or was not placed online with or without
We didn't ask you for details of this because we didn't disclose the
vulnerability. We didn't ask you for details because we attempt to monitor
over *100 HUNDRED VULNERABILITIES PUBLISHED DAILY* and don't have the time
or resources to contact each vendor, hold their hand, change their diaper
and gently stroke them as they write shoddy code and introduce
vulnerabilities in their products, be it in their own web sites, demo web
sites or downloadable packages.
We will correct our information when you get a fucking clue, treat us with
the respect you think we owe you, and get over your pathetic egos when it
comes to writing secure code.
Until then, whine like a bitch to milw0rm.com for posting this before we
did, then wine to IBM (x-force), CVE (cve.mitre.org), Symantec (BID),
Secunia and FR-SiRT, all commercial companies or government sponsored
projects, before you go whining to the non-profit volunteer run OSVDB.org.
When you do that, or send us a *reasonable* mail that isn't accusing us of
some wrong-doing, THEN we will consider updating our entry with
information pertaining to this vulnerability.
Until then, kindly lick my asshole clean.
More information about the VIM