| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LNX.2.00.1008281818240.15936@forced.attrition.org> Date: Sat, 28 Aug 2010 18:26:36 -0500 (CDT) From: security curmudgeon <jericho@...rition.org> To: advisory@...ridge.ch Cc: bugtraq@...urityfocus.com Subject: Re: SQL injection vulnerability in TCMS : Vulnerability ID: HTB22576 : Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_tcms_2.html : Vulnerability ID: HTB22571 : Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_tcms.html Aside switching from GET to a POST request, what is the difference here? That the injection point to reach the vulnerable script is /index.php this time? You say the php/lib/admin.php script and 'id' variable are vulnerable in each advisory. Do you really need to issue two advisories for the same vulnerability, or do you not understand the concept fully? Could you kids at lease put the script name in the Subject of your Bugtraq posts if you continue to do this one advisory/mail per script crap? While you may think it gives the appearance of more work and more vulnerabilities, most people that have been in security for a few months recognize it as an immature advisory practice as compared to one consolidated advisory with all of the issues. Bonus points if you reply to any of my previous mails asking questions about your pedestrian disclosures. Sincerely, OSVDB.org
Powered by blists - more mailing lists