[VIM] Legitimate spelling diffs in Claroline report; XSS unfixed?

security curmudgeon jericho at attrition.org
Sun May 15 03:38:21 EDT 2005


: Issue:
: 
:  BUGTRAQ:20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline
:  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111464607103407&w=2

Finally got to this as you can probably guess from one of my last mails..

: The reporters list "exercise_result.php" and "exercice_submit.php",
: which might suggest a spelling discrepancy or typo ("exercise"
: vs. "exercice") but the CVS logs for Claroline indicate that this
: discrepancy is legit:
: 
:   http://cvs.claroline.net/cgi-bin/viewcvs.cgi/Claroline010/claroline/exercice/exercise_result.php
:   http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/exercice/exercice_submit.php
: 
: The CVS log for exercise_result.php does not include any recent mods 
: that specifically mention XSS, nor do the changes show typical XSS 
: protections, and yet it is mentioned by the original researchers as an 
: attack vector.  Possibly a library problem?

The timeline included with the disclosure suggests the vendor was well in 
the loop and disclosure occured after release of a patched version. Based 
on that and your comment above, along with the fact Sieg Fried clearly 
examined some library scripts (look at the remote file inclusions).. i'd 
imagine the XSS and/or the SQL injection problems are likely due to some 
libraries. 

Without followup or examining the files further..


More information about the VIM mailing list