[VIM] Vendor dispute of Lighthouse CMS XSS (CVE-2005-4780)

security curmudgeon jericho at attrition.org
Mon Apr 17 23:53:33 EDT 2006 

: I concur with the vendor.  Interestingly, the vendor says how OSVDB also 
: reported this issue, but it doesn't seem like they contacted OSVDB...

: Name: CVE-2005-4780
: URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4780

: Reference: MISC:http://www.lighthouse-cms.de/en/news/

Hah, this is amusing. Copying here for archiving =)

--

Alleged Security Issue in Lighthouse
On February 10, 2006 it has been brought to our attention that the web 
page pridels.blogspot.com claims to have found a security issue regarding 
Lighthouse on December 18, 2005. Under 
http://pridels.blogspot.com/2005/12/lighthouse-cms-xss-vuln.html it is 
being claimed that Lighthouse is supposedly susceptible to client-side 
cross-site-scripting-attacks.

We wish to inform you that this notification is false: The allegation is 
lacking any basis. The Lighthouse Content Management System is not, and 
never has been, susceptible to attacks like this and does not exhibit any 
known security issues in this or any other way. In our opinion, security 
warnings concerning software products have to be taken very seriously; 
this, however, requires that security warnings are verified diligently 
before being made public.

We regret how carelessly this has been handled by pridels.blogspot.com and 
wish to point out the following:

    * We have not, neither before nor after the publication mentioned 
above, been informed of this alleged security issue.
    * Other web pages, e.g. 
http://www.osvdb.org/displayvuln.php?osvdb_id=21852, have copied the false 
statement without further verification and describe the alleged issue like 
this: "This flaw exists because the application does not validate the 
'search' variable upon submission to the 'index.php' script." This 
statement is absurd, because Lighthouse does not in any way make use of 
the PHP technology.
    * The Lighthouse Content Management System is an application server, 
providing the user with powerful functionality to create, program and 
manage web-based applications. A technology like this cannot be 
susceptible to client-side cross-site-scripting-attacks on its own, but 
only applications created based on such a technology. This does not only 
apply to Lighthouse, but also to Perl, PHP or web applications based on 
Java Servlet technology.

More information about the VIM mailing list