RE: RFI in JAF CMS

[Frédéric BOURLA <frederic.bourla () htbridge ch>]

Dear Mr. SALO,

Thanks for your email, and for pointing out the dual discovery.

In fact, we are aware of this situation, and we agree that we had by mistake
published a few advisories which implied already discovered vulnerabilities.
Indeed, there is no "lots of announcements" as you may have been tricked to
think through attrition.org. Jericho is really far from being objective, and
he only published parts of our communications. To make a long story short,
he made a lot of mistakes, and after a deep review of our advisories, we
admitted that we discovered 5 vulnerabilities which were effectively
previously published… Only 5 vulnerabilities on more than 300 bulletins
which have already permitted about 120 vendors to improve the security of
their products.

Those 5 webpages will not be removed, as it is a true discovery from our R&D
team. Nevertheless, the credit information field have been updated several
months ago: 
- HTB22770: http://www.htbridge.ch/advisory/sql_injection_in_phpmysport.html
- HTB22666: http://www.htbridge.ch/advisory/rfi_in_jaf_cms.html
- HTB22445:
http://www.htbridge.ch/advisory/xss_vulnerability_in_cruxcms.html
- HTB22442:
http://www.htbridge.ch/advisory/xss_vulnerability_in_portalapp_1.html
- HTB22398:
http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_boastmachine.
html

Once again, thanks for your feedback, and I wish you a merry Christmas and a
happy new year!

Regards,

Frédéric BOURLA
Head of Ethical Hacking Department

-----Original Message-----
From: Henri Salo [mailto:henri () nerv fi] 
Sent: dimanche 18 décembre 2011 13:34
To: security curmudgeon; advisory () htbridge ch
Cc: bugtraq () securityfocus com
Subject: Re: RFI in JAF CMS

On Sat, Apr 02, 2011 at 12:31:28AM -0500, security curmudgeon wrote:
> CVE-2008-1609 & CVE-2006-7128
>
> same issue, 4.0 RC1 and RC2. really guys? at least check VDBs before 
> you publish.
>
> : Vulnerability ID: HTB22666
>
> : Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
>
> Did you check the vendor's page?
>
> This page last updated on : May 20, 2006

This is still listed in htbridge web-page. Sadly www.attrition.org/errata/
doesn't work anymore. They listed lots of similar announcements.

https://www.htbridge.ch/advisory/rfi_in_jaf_cms.html
http://webcache.googleusercontent.com/search?q=cache:bXCSV_g236EJ:attrition.
org/errata/charlatan/htbridge/advisory_errata.html&hl=en&strip=1

- Henri Salo