[VIM] Security Vulnerabilities reported in blur6ex (fwd)
Steven M. Christey
coley at linus.mitre.org
Thu Apr 13 13:34:50 EDT 2006
---------- Forwarded message ----------
Date: Thu, 13 Apr 2006 10:45:44 -0400
From: brian
To: Steven M. Christey <coley at mitre.org>
Subject: Re: Security Vulnerabilities reported in blur6ex
Steven,
Thank you for alerting us about these issues. We're working on a fix
right now.
Thanks,
Brian
www.blursoft.com
Steven M. Christey wrote:
> Hello,
>
> I am a computer security professional and the editor for the Common
> Vulnerabilities and Exposures (CVE) project. CVE is a list of
> software vulnerabilities, and it is widely used in the computer
> security industry. It is sponsored by the US Department of Homeland
> Security. (http://www.us-cert.gov/cve/, http://cve.mitre.org/)
>
> Recently, some vulnerabilities in your product were reported to public
> sources. References include:
>
> http://www.securityfocus.com/archive/1/archive/1/430607/100/0/threaded
> http://www.securityfocus.com/bid/17465
>
> I downloaded the product and checked for these issues. The reports
> look legitimate.
>
> The problem with the "shard" variable looks very serious. It looks
> like an attacker could use "../" sequences to access any file on the
> system, and use a null character so that extensions other than .php
> can be accessed. This could then be used to execute arbitrary code.
>
> Can you confirm the existence of these issues? Will a fix be made
> available?
>
>
> Thank you,
> Steve Christey
> Principal Information Security Engineer
> CVE Editor
> The MITRE Corporation
>
>
More information about the VIM
mailing list