Dear Mr. SALO, Thanks for your email, and for pointing out the dual discovery. In fact, we are aware of this situation, and we agree that we had by mistake published a few advisories which implied already discovered vulnerabilities. Indeed, there is no "lots of announcements" as you may have been tricked to think through attrition.org. Jericho is really far from being objective, and he only published parts of our communications. To make a long story short, he made a lot of mistakes, and after a deep review of our advisories, we admitted that we discovered 5 vulnerabilities which were effectively previously published? Only 5 vulnerabilities on more than 300 bulletins which have already permitted about 120 vendors to improve the security of their products. Those 5 webpages will not be removed, as it is a true discovery from our R&D team. Nevertheless, the credit information field have been updated several months ago: - HTB22770: http://www.htbridge.ch/advisory/sql_injection_in_phpmysport.html - HTB22666: http://www.htbridge.ch/advisory/rfi_in_jaf_cms.html - HTB22445: http://www.htbridge.ch/advisory/xss_vulnerability_in_cruxcms.html - HTB22442: http://www.htbridge.ch/advisory/xss_vulnerability_in_portalapp_1.html - HTB22398: http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_boastmachine. html Once again, thanks for your feedback, and I wish you a merry Christmas and a happy new year! Regards, Frédéric BOURLA Head of Ethical Hacking Department -----Original Message----- From: Henri Salo [mailto:henri@xxxxxxx] Sent: dimanche 18 décembre 2011 13:34 To: security curmudgeon; advisory@xxxxxxxxxxx Cc: bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: RFI in JAF CMS On Sat, Apr 02, 2011 at 12:31:28AM -0500, security curmudgeon wrote: > CVE-2008-1609 & CVE-2006-7128 > > same issue, 4.0 RC1 and RC2. really guys? at least check VDBs before > you publish. > > : Vulnerability ID: HTB22666 > > : Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response > > Did you check the vendor's page? > > This page last updated on : May 20, 2006 This is still listed in htbridge web-page. Sadly www.attrition.org/errata/ doesn't work anymore. They listed lots of similar announcements. https://www.htbridge.ch/advisory/rfi_in_jaf_cms.html http://webcache.googleusercontent.com/search?q=cache:bXCSV_g236EJ:attrition. org/errata/charlatan/htbridge/advisory_errata.html&hl=en&strip=1 - Henri Salo
