By Dan Goodin
25th February 2009
As a security auditor for 11 years, Adriel Desautels has written his
share of vulnerability advisories, but never one like the one he issued
Tuesday for a software package made by a small Vermont company called
In the course of penetration testing a client's website, Desautels, who
is CTO of security consulting firm Netragard, says he discovered that
CAMAS - the marketing name for Cambium's content management system - was
riddled with vulnerabilities that made its customers' websites
susceptible to breaches that could reveal administrator passwords and
other sensitive data. No small deal since a significant percentage of
Cambium's clients are banks, credit unions, and health care providers.
Of course, discoveries like these are a dime a dozen. What was
unprecedented - at least for Desautels - was the amount of time it took
to publish his findings: Almost 18 months from the time of discovery.
During most of that time, he says CAMAS customers who didn't take
special precautions - including Cambium Group itself, according to this
Google cache - were vulnerable to attacks known as SQL injections.
"I have no doubt what so ever that the vulnerability shown in the cached
link above is the exact same one that we alerted Scott Wells of in
August of 2007," Desautels wrote in an email to The Register, referring
to Cambium's president. "Scott Wells may have fixed the vulnerability in
our customer's instance of their Cambium Group Content Management
System, but he certainly did not fix the rest of his customers according
Best Selling Security Books and More!