Aug1, 2007
securityfocus.com Are Wrong
Some little asswipe sent in a vulnerability report to securityfocus.com (the same site Amelie had faux report problems with; which just happens to mirror to thousands of blogs and security websites across the Internet) claiming that there's a login issue in BellaBiblio and BellaBook/BellaBuffs (he couldn't make his mind up with that one) making them insecure. He claims that you can create a cookie called "bellabiblio" with a value of "administrator" and bypass the login security.
This is not true — the code this guy pasted as "proof" of the vulnerability even shows that the cookie is checked for a hashed combination of the username, password and random 'salt' all set by the user — and you can't replicate that without knowing all three of those values.
One of the bug report "BID"s has already been marked as retired because, and I quote: "The original information provided has been proven to be incorrect
" but that doesn't change the fact that the so-called vulnerability is (as I said) on thousands of blogs and security websites.
I love security, and I am very active in reviewing scripts (as many of you know) but I would never publish information so obviously incorrect as that on such a huge website without verifying the allegations with multiple 'masters' in the field. We all make mistakes, but maybe he should take a leaf out of my book and keep his mistakes on a website of his own... at least then damage is minimal.
Comments
There are currently no approved responses to "securityfocus.com Are Wrong".
Comments are closed.
Welcome to the blog of girl geek & php ninja; Jem. Web developer, mum and crazy cat lady talks about parenting, pets and php 
