[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002201ccbfc1$d54f9e60$7feedb20$@htbridge.ch>
Date: Wed, 21 Dec 2011 10:20:49 +0100
From: Frédéric BOURLA <frederic.bourla@...ridge.ch>
To: <bugtraq@...urityfocus.com>
Subject: RE: RFI in JAF CMS
Dear Mr. SALO,
Thanks for your email, and for pointing out the dual discovery.
In fact, we are aware of this situation, and we agree that we had by mistake
published a few advisories which implied already discovered vulnerabilities.
Indeed, there is no "lots of announcements" as you may have been tricked to
think through attrition.org. Jericho is really far from being objective, and
he only published parts of our communications. To make a long story short,
he made a lot of mistakes, and after a deep review of our advisories, we
admitted that we discovered 5 vulnerabilities which were effectively
previously published
Only 5 vulnerabilities on more than 300 bulletins
which have already permitted about 120 vendors to improve the security of
their products.
Those 5 webpages will not be removed, as it is a true discovery from our R&D
team. Nevertheless, the credit information field have been updated several
months ago:
- HTB22770: http://www.htbridge.ch/advisory/sql_injection_in_phpmysport.html
- HTB22666: http://www.htbridge.ch/advisory/rfi_in_jaf_cms.html
- HTB22445:
http://www.htbridge.ch/advisory/xss_vulnerability_in_cruxcms.html
- HTB22442:
http://www.htbridge.ch/advisory/xss_vulnerability_in_portalapp_1.html
- HTB22398:
http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_boastmachine.
html
Once again, thanks for your feedback, and I wish you a merry Christmas and a
happy new year!
Regards,
Frédéric BOURLA
Head of Ethical Hacking Department
-----Original Message-----
From: Henri Salo [mailto:henri@...v.fi]
Sent: dimanche 18 décembre 2011 13:34
To: security curmudgeon; advisory@...ridge.ch
Cc: bugtraq@...urityfocus.com
Subject: Re: RFI in JAF CMS
On Sat, Apr 02, 2011 at 12:31:28AM -0500, security curmudgeon wrote:
> CVE-2008-1609 & CVE-2006-7128
>
> same issue, 4.0 RC1 and RC2. really guys? at least check VDBs before
> you publish.
>
> : Vulnerability ID: HTB22666
>
> : Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
>
> Did you check the vendor's page?
>
> This page last updated on : May 20, 2006
This is still listed in htbridge web-page. Sadly www.attrition.org/errata/
doesn't work anymore. They listed lots of similar announcements.
https://www.htbridge.ch/advisory/rfi_in_jaf_cms.html
http://webcache.googleusercontent.com/search?q=cache:bXCSV_g236EJ:attrition.
org/errata/charlatan/htbridge/advisory_errata.html&hl=en&strip=1
- Henri Salo
Powered by blists - more mailing lists