re: Advisory #5 Corrections.

[zeno <zeno () cgisecurity net>]

Hello,

The advisory on the virtual shopping cart is incorrect. The actual hole
is in another product from this vendor. Due to a lack of communcation
with myself and the vendor this advisory was incorrectly formed.

There is a security problem in CatalogMgr.pl but it is part of the VirtualCatalog
not the VirtualCart as originally stated. Part of this error was caused by loosing
some notes that got destroyed in a HD failure and emails between myself and the vendor
not being on the same grounds. I had spoken with the vendor in 3 or 4 emails in regards
to a hole in the shopping cart and was never once told otherwise until this after
this bugtraq posting. They where also aware of a public posting and it seemed
to my understanding that we were on the same grounds.(Odviously not)

The patch I received was from the vendor and from what I was told was part
of this Virtualcart program. I guess this posting is a wake up call to people
to make sure before they post something to a mailing list to quadtriple check
everything about the advisory and MAKE SURE you and the vendor have a firm
understanding of everything going on.

I have removed all refrences from the website and will issuing a corrected advisory
privatly on the site along with a formal letter on the situation.


- zenomorph