[VIM] Legitimate spelling diffs in Claroline report; XSS unfixed?
Steven M. Christey
coley at mitre.org
Mon May 2 17:08:44 EDT 2005
Issue:
BUGTRAQ:20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline
URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111464607103407&w=2
The reporters list "exercise_result.php" and "exercice_submit.php",
which might suggest a spelling discrepancy or typo ("exercise"
vs. "exercice") but the CVS logs for Claroline indicate that this
discrepancy is legit:
http://cvs.claroline.net/cgi-bin/viewcvs.cgi/Claroline010/claroline/exercice/exercise_result.php
http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/exercice/exercice_submit.php
The CVS log for exercise_result.php does not include any recent mods
that specifically mention XSS, nor do the changes show typical XSS
protections, and yet it is mentioned by the original researchers as an
attack vector. Possibly a library problem?
- Steve
More information about the VIM
mailing list