[VIM] Legitimate spelling diffs in Claroline report; XSS unfixed?

Steven M. Christey coley at mitre.org
Mon May 2 17:08:44 EDT 2005


Issue:

 BUGTRAQ:20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline
 URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111464607103407&w=2


The reporters list "exercise_result.php" and "exercice_submit.php",
which might suggest a spelling discrepancy or typo ("exercise"
vs. "exercice") but the CVS logs for Claroline indicate that this
discrepancy is legit:

  http://cvs.claroline.net/cgi-bin/viewcvs.cgi/Claroline010/claroline/exercice/exercise_result.php
  http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/exercice/exercice_submit.php


The CVS log for exercise_result.php does not include any recent mods
that specifically mention XSS, nor do the changes show typical XSS
protections, and yet it is mentioned by the original researchers as an
attack vector.  Possibly a library problem?

- Steve


More information about the VIM mailing list