[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: RFI in JAF CMS
Dear Mr. SALO,
Thanks for your email, and for pointing out the dual discovery.
In fact, we are aware of this situation, and we agree that we had by mistake
published a few advisories which implied already discovered vulnerabilities.
Indeed, there is no "lots of announcements" as you may have been tricked to
think through attrition.org. Jericho is really far from being objective, and
he only published parts of our communications. To make a long story short,
he made a lot of mistakes, and after a deep review of our advisories, we
admitted that we discovered 5 vulnerabilities which were effectively
previously published? Only 5 vulnerabilities on more than 300 bulletins
which have already permitted about 120 vendors to improve the security of
Those 5 webpages will not be removed, as it is a true discovery from our R&D
team. Nevertheless, the credit information field have been updated several
- HTB22770: http://www.htbridge.ch/advisory/sql_injection_in_phpmysport.html
- HTB22666: http://www.htbridge.ch/advisory/rfi_in_jaf_cms.html
Once again, thanks for your feedback, and I wish you a merry Christmas and a
happy new year!
Head of Ethical Hacking Department
From: Henri Salo [mailto:henri@xxxxxxx]
Sent: dimanche 18 décembre 2011 13:34
To: security curmudgeon; advisory@xxxxxxxxxxx
Subject: Re: RFI in JAF CMS
On Sat, Apr 02, 2011 at 12:31:28AM -0500, security curmudgeon wrote:
> CVE-2008-1609 & CVE-2006-7128
> same issue, 4.0 RC1 and RC2. really guys? at least check VDBs before
> you publish.
> : Vulnerability ID: HTB22666
> : Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
> Did you check the vendor's page?
> This page last updated on : May 20, 2006
This is still listed in htbridge web-page. Sadly www.attrition.org/errata/
doesn't work anymore. They listed lots of similar announcements.
- Henri Salo