|
|
 |
| New User, Welcome! Login |
Re: SQL injection vulnerability in TCMS
| From: |
security curmudgeon <jericho attrition org> |
| To: |
advisory htbridge ch |
| Cc: |
bugtraq securityfocus com |
| Subject: |
Re: SQL injection vulnerability in TCMS |
| Date: |
Sat - Aug 28, 2010 04:36 PM |
: Vulnerability ID: HTB22576
: Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_tcms_2.html
: Vulnerability ID: HTB22571
: Reference: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_tcms.html
Aside switching from GET to a POST request, what is the difference here?
That the injection point to reach the vulnerable script is /index.php this
time? You say the php/lib/admin.php script and 'id' variable are
vulnerable in each advisory.
Do you really need to issue two advisories for the same vulnerability, or
do you not understand the concept fully? Could you kids at lease put the
script name in the Subject of your Bugtraq posts if you continue to do
this one advisory/mail per script crap? While you may think it gives the
appearance of more work and more vulnerabilities, most people that have
been in security for a few months recognize it as an immature advisory
practice as compared to one consolidated advisory with all of the issues.
Bonus points if you reply to any of my previous mails asking questions
about your pedestrian disclosures.
Sincerely,
OSVDB.org
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
