Yes, those were my findings exactly, but I agree with Rick Murphy's point
that under a particular set of parameters, it could be exploitable, but for
some reason EsecurityOnline made it sound like it was GLARING vulnerability..
/mark
At 03:16 PM 11/17/00 +0100, mouss wrote:
>I've checked the x-gw code, and each time pmsg as used, the buf argument is
>either a constant string or results from an sprintf().
>
>so, for me, this is a false alarm...
>
>
>cheers,
>mouss
>
>
>
>At 14:49 16/11/00 -0800, [EMAIL PROTECTED] wrote:
>>A note has been sent to NAI support trying to validate the validity of
>>the vulnerability alert. I also have requested several time for
>>EsecurityOnline to verify this, since I could not replicate their
>>vulnerability alert.
>>
>>At 07:04 AM 11/17/00 +0900, Harry Behrens wrote:
>>>You guys call grep'ing for unformated xprintf() security research? Gimme a
>>>break!
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
