[VIM] Generic vs. Specific XSS in phpCodeCabinet 0.4

Steven M. Christey coley at mitre.org
Wed May 18 17:05:06 EDT 2005 

In February 2004, phpCodeCabinet 0.4 and earlier was reported to have
various XSS issues.  Some vuln. sources created a generic entry to
cover all of them; some also included a specific item for some (but
not all) instances.

I've done a little more research to resolve the generic vs. specific
issues to obtain some clarity and figure out how many candidates to
create.

The generic issue probably comes from the changelog here:

  http://sourceforge.net/project/shownotes.php?release_id=214860

This "CHANGELOG for phpCodeCabinet v0.5 (since 0.4)" includes the
following item:

   6. Fixed http script injection vulnerability within several files.
   Thanks to Yao-Wen (Wayne) Huang for pointing them out.

In turn, the changelog lists various files that have been modified,
which includes non-security fixes:

  - browse.php
  - category.php
  - comments.php
  - config.php
  - export.php
  - import.php
  - input.php
  - search.php
  - setup.php
  - snippet.php
  - theme/facade/header.php
  - theme/phpcc/header.php

Looks like OSVDB had garnered the CVS diff's for some of these files,
namely comments.php (OSVDB:3885), category.php (OSVDB:3886), and
input.php (OSVDB:3887).

There's also a generic identifier (OSVDB:3920), which points to a
generic item from ISS X-Force - phpcodecabinet-multiple-xss(15190) -
which in turn points to the previously mentioned changelog.
OSVDB:3920 also points to Secunia's SA10862, which is also generic,
and credits Yao-Wen, which effectively links back to the same
changelog.

So, these generic entries are all talking about changelog item #6 as
listed above.

I searched the comments in the CVS diffs for all the modified files
identified in the changelog, looking for changes that were relevant to
the generic XSS issue.

Each of these files has an item in January 2004 that says:

  Fixed http script injection vulnerabilities.

Those files are:

  comments.php
  category.php
  input.php
  browse.php
  themes/facade/header.php
  themes/phpcc/header.php

(note the typo in the vendor's changelog that uses "theme/" instead of
"themes/")

The relevant diff's are:

  http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/comments.php?r1=1.1&r2=1.2
  http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/category.php?r1=1.4&r2=1.5
  http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/input.php?r1=1.7&r2=1.8
  http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/browse.php?r1=1.5&r2=1.6
  http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/facade/header.php?r1=1.4&r2=1.5
  http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/phpcc/header.php?r1=1.4&r2=1.5


So, the infosources that use generic *and* specific entries for
phpCodeCabinet 0.4 XSS now have a little more information to work
with.

- Steve

More information about the VIM mailing list