lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <001501c44e7f$936046f0$05a0968c@p42800mhz>
Date: Thu, 10 Jun 2004 02:12:11 +0200
From: "JvdR" <thewarlock@...e.nl>
To: "Mike Healan" <mike@...wareinfo.com>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: Multiple Vulnerabilities in Invision Power Board v1.3.1 Final.


Dear Mike,

The CSS vulnerabilities are based on previous versions of IPB,
the vendor did not feel to fix them with update 1.3 > 1.3.1 final.
see http://securityfocus.com/bid/9768

Multiple SQL Injection Vulnerabilities were already found in IPB,
http://securityfocus.com/bid/7290
http://securityfocus.com/bid/9232

The problem that the vendor did fix was a vulnerability in the calendar.
http://securityfocus.com/bid/9353

In history IPB was more than once vulnerable to SQL injections of the
same type, so there is no reason to provide them with old information.

An other reason is that those kinds of vulns. are common, old news....
a query in google results in 100.000 full instructions to exploit them,
for ISP's it's quite easy to block these requests and minimize the risks.


> Mike Healan wrote:
> Where is the vendor response to this? From what I can see at their
> support site, they've never heard of these two problems.
>
> Let me guess, you never bothered to contact them and instead elected to
> publicize full instructions to exploit software in use at over 100,000
> web sites?

BR,
Jan van de Rijt.
--->
http://members.home.nl/thewarlock




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ