Dear Mike, The CSS vulnerabilities are based on previous versions of IPB, the vendor did not feel to fix them with update 1.3 > 1.3.1 final. see http://securityfocus.com/bid/9768 Multiple SQL Injection Vulnerabilities were already found in IPB, http://securityfocus.com/bid/7290 http://securityfocus.com/bid/9232 The problem that the vendor did fix was a vulnerability in the calendar. http://securityfocus.com/bid/9353 In history IPB was more than once vulnerable to SQL injections of the same type, so there is no reason to provide them with old information. An other reason is that those kinds of vulns. are common, old news.... a query in google results in 100.000 full instructions to exploit them, for ISP's it's quite easy to block these requests and minimize the risks. > Mike Healan wrote: > Where is the vendor response to this? From what I can see at their > support site, they've never heard of these two problems. > > Let me guess, you never bothered to contact them and instead elected to > publicize full instructions to exploit software in use at over 100,000 > web sites? BR, Jan van de Rijt. ---> http://members.home.nl/thewarlock
