Well kids, There is a next to useless disclosure.
Its is also customary to show some kind f timeline of your correspondence with the vendor. I swear to $deity we used to have standards here, On 7 Dec 2011, at 16:51, ddivulnalert wrote: > Title > ----- > DDIVRT-2011-38 KnowledgeTree login.php Blind SQL Injection > > Severity > -------- > High > > Date Discovered > --------------- > November 18, 2011 > > Discovered By > ------------- > Digital Defense, Inc. Vulnerability Research Team > Credit: sxkeebler and r@b13$ > > Vulnerability Description > ------------------------- > The KnowledgeTree login.php login page is vulnerable to a blind SQL > injection vulnerability within the username field. An attacker can > leverage this flaw to execute arbitrary SQL commands and extract > sensitive information from the backend database using standard blind > SQL exploitation techniques. Additionally, an attacker may be able to > leverage this flaw to compromise the database server host OS. > > Solution Description > -------------------- > KnowledgeTree has released a patch which addresses the issue. The new > source is available at: > http://wiki.knowledgetree.org/Security_advisory:_KnowledgeTree_login.php_Blind_SQL_Injection > > Tested Systems / Software > ------------------------- > KnowledgeTree Version 3.7.0.2 (community edition) > > Vendor Contact > -------------- > Vendor Name: KnowledgeTree, Inc. > Vendor Website: http://www.knowledgetree.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
