A while back, I reported several vulnerabilities in PHPKIT to the vendors. Although not very well-known in the rest of the world, there's an abundance of installations of this product in german-speaking countries, since it is very easy to install, provides a german user (and administration) interface and has about the same feature set as the infamous PHP-Nuke.

After I reported the vulnerability, no response whatsoever was received. I phoned the vendor, and they told me something about an ominous "community release" and that I should report the issues in their forum. I gave the advisory (including PoC for each hole) to the forum administrator and told them to get a fix out of the door. They responded in a very weird fashion, but allegedly fixed the bugs and released an inofficial patch in the forum.

He goes on in the post, stating why a distribution menthod like is isn't the wisest course of action. Patches are slow in distribution and applicataion versus a full version release. Especially ones distributed via less than an "official" means...]]> Mon, 06 Feb 2006 06:40:05 -0600