[VIM] Lifetype "XSS" issue might be file inclusion?

Steven M. Christey coley at mitre.org
Mon Apr 17 21:13:01 EDT 2006 

OK, so these days I'm probably seeing these issues even when they
don't exist :)

Refs: CVE-2006-1808 and CVE-2006-1809

Lifetype has source available, but a grep-style check didn't find
proof right away.

- op paramater is "Template" which suggests use of templates, which
  are frequently files...

- attacker uses XSS manipulation in a Template op

- and even with the XSS manipulation, you get full path disclosure


So - this could be an application-controlled XSS/full path disclosure
("hey, I couldn't find the template using this filename: [XYZ]") or
maybe it's a PHP-level inclusion/path traversal error by actually
trying to access the file and failing.

Either way I dunno, just figured someone out there with more a
extensive PHP testing environment might be curious to investigate.

- Steve

======================================================
Name: CVE-2006-1808
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1808
Reference: BUGTRAQ:20060414 Vulnerabilities in lifetype
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/431008/100/0/threaded
Reference: FRSIRT:ADV-2006-1367
Reference: URL:http://www.frsirt.com/english/advisories/2006/1367
Reference: SECTRACK:1015941
Reference: URL:http://securitytracker.com/id?1015941
Reference: SECUNIA:19646
Reference: URL:http://secunia.com/advisories/19646

Cross-site scripting (XSS) vulnerability in index.php in Lifetype
1.0.3 allows remote attackers to inject arbitrary web script or HTML
via the show parameter in a Template operation.


======================================================
Name: CVE-2006-1809
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1809
Reference: BUGTRAQ:20060414 Vulnerabilities in lifetype
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/431008/100/0/threaded
Reference: SECTRACK:1015941
Reference: URL:http://securitytracker.com/id?1015941

index.php in Lifetype 1.0.3 allows remote attackers to obtain
sensitive information via an invalid show parameter, which reveals the
path in an error message.

More information about the VIM mailing list