Information Security News mailing list archives
Banking app vuln surfaces 18 months after discovery
From: InfoSec News <alerts () infosecnews org>
Date: Wed, 25 Feb 2009 01:29:02 -0600 (CST)
http://www.theregister.co.uk/2009/02/25/cambium_group_advisory/ By Dan Goodin The Register 25th February 2009 As a security auditor for 11 years, Adriel Desautels has written his share of vulnerability advisories, but never one like the one he issued Tuesday for a software package made by a small Vermont company called Cambium Group. In the course of penetration testing a client's website, Desautels, who is CTO of security consulting firm Netragard, says he discovered that CAMAS - the marketing name for Cambium's content management system - was riddled with vulnerabilities that made its customers' websites susceptible to breaches that could reveal administrator passwords and other sensitive data. No small deal since a significant percentage of Cambium's clients are banks, credit unions, and health care providers. Of course, discoveries like these are a dime a dozen. What was unprecedented - at least for Desautels - was the amount of time it took to publish his findings: Almost 18 months from the time of discovery. During most of that time, he says CAMAS customers who didn't take special precautions - including Cambium Group itself, according to this Google cache - were vulnerable to attacks known as SQL injections. "I have no doubt what so ever that the vulnerability shown in the cached link above is the exact same one that we alerted Scott Wells of in August of 2007," Desautels wrote in an email to The Register, referring to Cambium's president. "Scott Wells may have fixed the vulnerability in our customer's instance of their Cambium Group Content Management System, but he certainly did not fix the rest of his customers according to google." [...] _______________________________________________ Best Selling Security Books and More! http://www.shopinfosecnews.org/
Current thread:
- Banking app vuln surfaces 18 months after discovery InfoSec News (Feb 24)