[VIM] Vendor dispute of Lighthouse CMS XSS (CVE-2005-4780)

Steven M. Christey coley at mitre.org
Fri Apr 14 16:33:09 EDT 2006 

Issue reported by r0t.

I concur with the vendor.  Interestingly, the vendor says how OSVDB
also reported this issue, but it doesn't seem like they contacted
OSVDB...

- Steve

======================================================
Name: CVE-2005-4780
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4780
Acknowledged: no disputed
Announced: 20051218
Flaw: XSS
Reference: MISC:http://pridels.blogspot.com/2005/12/lighthouse-cms-xss-vuln.html
Reference: MISC:http://www.lighthouse-cms.de/en/news/
Reference: BID:15952
Reference: URL:http://www.securityfocus.com/bid/15952
Reference: OSVDB:21852
Reference: URL:http://www.osvdb.org/21852
Reference: XF:lighthousecms-search-xss(23668)
Reference: URL:http://xforce.iss.net/xforce/xfdb/23668

** DISPUTED **

Cross-site scripting (XSS) vulnerability in Fidra Lighthouse CMS 1.1.0
and earlier allows remote attackers to inject arbitrary web script or
HTML via the search parameter in a query_string to the home page.
NOTE: The vendor disputes this issue, saying "Lighthouse does not in
any way make use of the PHP technology.  [It] is an application server
... A technology like this cannot be susceptible to client-side
cross-site-scripting-attacks on its own, but only applications created
based on such a technology. This does not only apply to Lighthouse,
but also to Perl, PHP or web applications based on Java Servlet
technology."  Since the original researcher is known to test demo
pages and is sometimes inaccurate, it is likely that this issue will
be REJECTED.


Analysis:

ACKNOWLEDGEMENT: Disputed.  The vendor has made a dispute, asserting
that the vulnerability does not exist. The vendor News page refers to
the lighthouse-cms-xss-vuln advisory and says "it is being claimed
that Lighthouse is supposedly susceptible to client-side
cross-site-scripting-attacks ... The Lighthouse Content Management
System is not, and never has been, susceptible to attacks like this
and does not exhibit any known security issues in this or any other
way."

ACCURACY: The researcher is well-known to test demo pages.  This error
might have arisen from a demo test; however, this cannot be confirmed.

More information about the VIM mailing list