[VIM] Possible HyperVM vendor dispute - but of severity or existence?

Steven M. Christey coley at mitre.org
Tue Dec 19 20:01:35 EST 2006

Researcher: Aria (keep reading anyway)
Ref: BUGTRAQ:20061217 HyperVM Cross-Site Scripting

So, there appears to be a dispute, but I'm not sure if the vendor
understands the issue.

front page at http://hypervm.com/ :

  "... An XSS issue has been found in hyperVM, but please note that it
   is not exploitable, but still, all customers are urged to update
   hyperVM to the latest version."


  "An XSS problem has been discovered in hyperVM. Please note that it
  is not exploitable. We have fixed this in the latest version."

Finally, at http://www.webhostingtalk.com/showthread.php?t=570655 (but
I'm not sure if this is a vendor Rep):

  Also I don't know what you mean by legitimate, but this is NOT
  exploitable. In fact, we do take a lot of effort to make sure that
  lower level clients cannot enter values that can be exploited to
  make admin inadvertently commit anything out of the way. It is a bug
  in hyperVM, but not a vulnerability.

  If you want to see what exactly is an exploitable XSS vulnerability,
  you can see here:


The "BUG #1" item in the RS Labs advisory is CSRF, *not* XSS.

So, I'm not sure what they mean by "not exploitable" here.  Not
exploitable for CSRF style attacks?  The problem doesn't even exist
for basic XSS?

And more importantly - if there's no problem, then what was fixed?

- Steve

More information about the VIM mailing list