Sometimes I wonder what the hell is wrong with vendors. Here's part of a bug posted to NTBugTraq last night:
This vulnerability makes it possible for an intruder to use the open
SOAP or XML-RPC APIs published at
http://www.soapware.org/xmlStorageSystem to create user accounts and
upload random file data to any server running the Radio Community Server
as published by UserLand Software Inc. at http://rcs.userland.com
The poster of this bug says he reported it to Userland and CERT 8 weeks ago. When the Zlib bug came out, even though AxKit pretty much wasn't affected (despite embedding zlib), we made sure we checked the bug out and released a warning to our users to upgrade their zlibs the same day.
Vendors who ignore security issues should have to go through some sort of forced darwinism. Perhaps now the exploit has been released UserLand will.
