[VIM] Vendor ACK for aoblogger 2.3 issues
Steven M. Christey
coley at mitre.org
Sat Apr 15 13:55:54 EDT 2006
(hey osvdb - another victory for generic URLs!)
Researcher: alex at evuln
Issues: CVE-2006-0310, CVE-2006-0311, CVE-2006-0312
Forum post:
http://mikeheltonisawesome.com/viewcomments.php?idd=46
Date: Feb 27th 2006 | Subject: Security Fixes!
I googled aoblogger, and managed to find several websites with info on
three major security holes, all of which have been fixed in the newest
version available for download on sourceforge or hotscripts.
In the download, the vendor changelog says:
Changes in 2.4
__________________
Fixed three major security holes. Source is fully secure as of this
release
1) XSS attack in create.php
2) sql injection in BB Code and in login.php
CAVEAT:
These descriptions are slightly inconsistent with CVE's descriptions,
so I took a casual look at the source code, which makes it unclear
whether the issues were properly fixed. Hard to tell on the surface.
- Steve
More information about the VIM
mailing list