[VIM] PROMS issues - partial clarity in the changelog

Steven M. Christey coley at mitre.org
Tue May 24 19:04:07 EDT 2005


SecurityTracker [1] reported details for various issues in PROMS
before 0.11, but the original vendor announcement here:

  http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91

only suggests "Many security fixes."

But the CHANGELOG file, as included in the download for PROMS 0.11,
has these additional details:

  * Various SQL queries where vulnerable to SQL injections. Fixed. (See also
    README)
  * A few places didn't filter out HTML entities correctly. Fixed.
  * Certain combinations of rights caused users to be granted more rights then
    they should have been. Fixed.
  * Various improvements in the security checks. Many checks depended on 
    being the project owner where they should have depended on the individual
	access right. Fixed.
  * It was possible for non-authorized users to view and modify the list of 
    project members. Fixed.
  * Todos could be modified by non-authorized users. Fixed.

There are other items in the changelog that might warrant review, but
these were the interesting ones that I saw.

One could easily infer more details for at least the SQL injections by
doing a diff on versions 0.10 and 0.11 (both are available for
download), but the diff is almost 5000 lines long.


[1] http://securitytracker.com/id?1013992


More information about the VIM mailing list