[VIM] Vulnerability Summary CVE-2006-2184 (fwd)

Steven M. Christey coley at linus.mitre.org
Fri May 12 01:47:13 EDT 2006 

just had to share...

---------- Forwarded message ----------
Date: Fri, 12 May 2006 01:41:49 -0400 (EDT)
From: Steven M. Christey <coley at rcf-smtp.mitre.org>
To: Ajay Chadha
Cc: cve at mitre.org, nvd at nist.gov
Subject: Re: Vulnerability Summary CVE-2006-2184


Hello,

> It has came to our notice that our product has been listed on your website
> at the URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2184 with a
> vulnerability hole in it but there is no such hole in our product and we
> fully claim that our product PHPKB Knowledge Base Script is free from any
> such "script attack" hole in it. You can test the script at
> http://www.knowledgebase-script.com/demo/


Thank you for your invitation to test your script.

In our experience, many vendors dispute vulnerability reports that
ultimately turn out to be correct.  Unfortunately, this is also the case
with your product.

It appears that your script has done well to filter items obvious issues
as <abc> and <script>, and even (apparently) some javascript events, but
the following code - entered in the search box - will execute javascript:

  " onmouseover="javascript:alert('hi')"

To activate the issue, enter the above string into your search form, then
when the web site returns, move your mouse over the text form.  This will
activate the javascript.

I have not investigated any additional attack vectors, but this is
sufficient evidence of the legitimacy of the original report.

CVE has shared your dispute with other vulnerability information sources,
as we believe that it is paramount that consumers have all information
available, including vendor disputes.  This is why we recorded your
dispute in our original report.

Since there is now proof that the issue is real, we likely will not be
able to remove the CVE item entirely; however, when you fix the issue and
make the fix available to your consumers, we will gladly share this
information with the public.

To help you with your fixes, I would like to suggest several documents:

  - "XSS cheat sheet" , which covers many variants of XSS that developers
frequently miss.

  ha.ckers.org/xss.html

  (and others)

 - OWASP secure web development guide:

    http://www.owasp.org/

   Besides the Top 10, the OWASP 2.0 document is quite extensive.

 - "Blacklist defenses as a breeding ground for vulnerability variants"

    http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/041927.html


We look forward to your response, and to assuring all CVE's users that you
have provided a fix for the issue that we were able to independently
confirm.  We appreciate the active role that you are taking in securing
your products.


Regards,
Steve Christey
CVE Editor

More information about the VIM mailing list