[VIM] PROMS issues - partial clarity in the changelog

Tue May 24 19:19:48 EDT 2005

: SecurityTracker [1] reported details for various issues in PROMS
: before 0.11, but the original vendor announcement here:
: 
:   
: http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91

I caught this via Freshmeat on May 5 and dug into the changelog:

: But the CHANGELOG file, as included in the download for PROMS 0.11,
: has these additional details:
: 
:   * Various SQL queries where vulnerable to SQL injections. Fixed. (See also
:     README)

16716  	PROMS Multiple Unspecified SQL Injection  	May 5, 2005  	

:   * Certain combinations of rights caused users to be granted more rights then
:     they should have been. Fixed.

16715  	PROMS Unspecified User Rights Logic Flaw  	May 5, 2005  	

:   * It was possible for non-authorized users to view and modify the list of 
:     project members. Fixed.

16714  	PROMS Project Member List Unauthorized Modification  	May 5, 2005  	

:   * Todos could be modified by non-authorized users. Fixed.
:   * A few places didn't filter out HTML entities correctly. Fixed.
:   * Various improvements in the security checks. Many checks depended on 
:     being the project owner where they should have depended on the individual
: 	access right. Fixed.

these three entries dont look familiar. i'm wondering if they were added 
after i went through the first time. i'll have to look at making entries.

: There are other items in the changelog that might warrant review, but 
: these were the interesting ones that I saw.

Also historically, I dug out two more entries:

16713  	PROMS Unauthorized Action Link Disclosure  	Aug 28, 2003  	
16712 	PROMS Unspecified SESSION ID Privilege Escalation 	Aug 10, 2003 	