[VIM] Errors and oddities in Phorum 5.0.11 XSS/SQl injection

[Steven M. Christey]

CVE's forthcoming.

OSVDB:11129 read.php SQL injection

SECUNIA:12980 - generic XSS and SQL injection

BID:11538 - generic XSS and SQL injection

SECTRACK:1011921 -  read.php SQL injection and XSS

Looks like every VDB has a different spin on the details.

Here's my take:

- Positive Technologies releases report on SQL injection in read.php
  query string for Phorum 5.0.11

  MISC:http://www.maxpatrol.com/advdetails.asp?id=15
  MISC:http://www.maxpatrol.com/mp_advisory.asp

  Researcher claims issue is fixed in CVS.

- Phorum releases 5.0.12.  Changelog says "XSS really gone now" and
  "two instances of "fixed sql-injection issue"

  http://phorum.org/changelog-5.txt

  Not enough detail for me to be sure they fixed the SQL injection
  issue.

- I search through CVS to try and find relevant diffs, but give up
  after a few minutes.

- CVS changelog is more informative:

   http://phorum.org/cvs-changelog-5.txt

  * shows SQL injection in read.php *AND* file.php

  * lists XSS is in search.php

  For CVE, "mutual consistency" of researcher ("fixed in CVS") and
  vendor (fixed associated file in next version) is sufficient for
  acknowledgement of the read.php issue.


Somewhere along the line:

  - VDB's linked the XSS to Positive Technologies - but they never
    report XSS

  - some VDB's only had the vendor changelog and so didn't know it was
    readphp

  - all/most VDB's missed that there are 2 SQL injections, one for
    read.php and one for file.php

  - some VDB's said the XSS was for read.php but there's no evidence
    of it.



- Steve