Dear Mr. SALO,
Thanks for your email, and for pointing out the dual discovery.
In fact, we are aware of this situation, and we agree that we had by =
mistake
published a few advisories which implied already discovered =
vulnerabilities.
Indeed, there is no "lots of announcements" as you may have been tricked =
to
think through attrition.org. Jericho is really far from being objective, =
and
he only published parts of our communications. To make a long story =
short,
he made a lot of mistakes, and after a deep review of our advisories, we
admitted that we discovered 5 vulnerabilities which were effectively
previously published=85 Only 5 vulnerabilities on more than 300 =
bulletins
which have already permitted about 120 vendors to improve the security =
of
their products.
Those 5 webpages will not be removed, as it is a true discovery from our =
R&D
team. Nevertheless, the credit information field have been updated =
several
months ago:=20
- HTB22770: =
http://www.htbridge.ch/advisory/sql_injection_in_phpmysport.html
- HTB22666: http://www.htbridge.ch/advisory/rfi_in_jaf_cms.html
- HTB22445:
http://www.htbridge.ch/advisory/xss_vulnerability_in_cruxcms.html
- HTB22442:
http://www.htbridge.ch/advisory/xss_vulnerability_in_portalapp_1.html
- HTB22398:
http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_boastmachi=
ne.
html
Once again, thanks for your feedback, and I wish you a merry Christmas =
and a
happy new year!
Regards,
Fr=E9d=E9ric BOURLA
Head of Ethical Hacking Department
-----Original Message-----
From: Henri Salo [mailto:henri@nerv.fi]=20
Sent: dimanche 18 d=E9cembre 2011 13:34
To: security curmudgeon; advisory@htbridge.ch
Cc: bugtraq@securityfocus.com
Subject: Re: RFI in JAF CMS
On Sat, Apr 02, 2011 at 12:31:28AM -0500, security curmudgeon wrote:
> CVE-2008-1609 & CVE-2006-7128
>=20
> same issue, 4.0 RC1 and RC2. really guys? at least check VDBs before=20
> you publish.
>=20
> : Vulnerability ID: HTB22666
>=20
> : Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
>=20
> Did you check the vendor's page?
>=20
> This page last updated on : May 20, 2006
This is still listed in htbridge web-page. Sadly =
www.attrition.org/errata/
doesn't work anymore. They listed lots of similar announcements.
https://www.htbridge.ch/advisory/rfi_in_jaf_cms.html
http://webcache.googleusercontent.com/search?q=3Dcache:bXCSV_g236EJ:attri=
tion.
org/errata/charlatan/htbridge/advisory_errata.html&hl=3Den&strip=3D1
- Henri Salo