[ISN] Banking app vuln surfaces 18 months after discovery

From: InfoSec News <alerts_at_private>
Date: Wed, 25 Feb 2009 01:29:02 -0600 (CST)
http://www.theregister.co.uk/2009/02/25/cambium_group_advisory/

By Dan Goodin 
The Register
25th February 2009

As a security auditor for 11 years, Adriel Desautels has written his 
share of vulnerability advisories, but never one like the one he issued 
Tuesday for a software package made by a small Vermont company called 
Cambium Group.

In the course of penetration testing a client's website, Desautels, who 
is CTO of security consulting firm Netragard, says he discovered that 
CAMAS - the marketing name for Cambium's content management system - was 
riddled with vulnerabilities that made its customers' websites 
susceptible to breaches that could reveal administrator passwords and 
other sensitive data. No small deal since a significant percentage of 
Cambium's clients are banks, credit unions, and health care providers.

Of course, discoveries like these are a dime a dozen. What was 
unprecedented - at least for Desautels - was the amount of time it took 
to publish his findings: Almost 18 months from the time of discovery. 
During most of that time, he says CAMAS customers who didn't take 
special precautions - including Cambium Group itself, according to this 
Google cache - were vulnerable to attacks known as SQL injections.

"I have no doubt what so ever that the vulnerability shown in the cached 
link above is the exact same one that we alerted Scott Wells of in 
August of 2007," Desautels wrote in an email to The Register, referring 
to Cambium's president. "Scott Wells may have fixed the vulnerability in 
our customer's instance of their Cambium Group Content Management 
System, but he certainly did not fix the rest of his customers according 
to google."

[...]


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Tue Feb 24 2009 - 23:29:02 PST

This archive was generated by hypermail 2.2.0 : Tue Feb 24 2009 - 23:34:11 PST