securityfocus.com Are Wrong

Some little asswipe sent in a vulnerability report to securityfocus.com (the same site Amelie had faux report problems with; which just happens to mirror to thousands of blogs and security websites across the Internet) claiming that there’s a login issue in BellaBiblio and BellaBook/BellaBuffs (he couldn’t make his mind up with that one) making them insecure. He claims that you can create a cookie called “bellabiblio” with a value of “administrator” and bypass the login security.

This is not true — the code this guy pasted as “proof” of the vulnerability even shows that the cookie is checked for a hashed combination of the username, password and random ‘salt’ all set by the user — and you can’t replicate that without knowing all three of those values.

One of the bug report “BID”s has already been marked as retired because, and I quote: “The original information provided has been proven to be incorrect” but that doesn’t change the fact that the so-called vulnerability is (as I said) on thousands of blogs and security websites.

I love security, and I am very active in reviewing scripts (as many of you know) but I would never publish information so obviously incorrect as that on such a huge website without verifying the allegations with multiple ‘masters’ in the field. We all make mistakes, but maybe he should take a leaf out of my book and keep his mistakes on a website of his own… at least then damage is minimal.