[VIM] Legitimate spelling diffs in Claroline report; XSS unfixed?
security curmudgeon
jericho at attrition.org
Sun May 8 02:36:28 EDT 2005
: Issue:
:
: BUGTRAQ:20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline
: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111464607103407&w=2
:
: The reporters list "exercise_result.php" and "exercice_submit.php",
: which might suggest a spelling discrepancy or typo ("exercise"
: vs. "exercice") but the CVS logs for Claroline indicate that this
: discrepancy is legit:
:
: http://cvs.claroline.net/cgi-bin/viewcvs.cgi/Claroline010/claroline/exercice/exercise_result.php
: http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/exercice/exercice_submit.php
:
: The CVS log for exercise_result.php does not include any recent mods
: that specifically mention XSS, nor do the changes show typical XSS
: protections, and yet it is mentioned by the original researchers as an
: attack vector. Possibly a library problem?
I had held off splitting this out on OSVDB so I could examine the
changelog and other vendor information.
I'll add this to my to-do list and may end up waiting this out a bit more
until I can find more confirmation.
More information about the VIM
mailing list