[VIM] Codebase relationships between My Blog and M. Blom HTML::BBCode

Steven M. Christey coley at mitre.org
Fri Feb 17 20:05:55 EST 2006


I ran into this accidentally while reviewing some alex at evuln
advisories.  He linked 2 distinct issues to the same CVE, and it turns
out he was right, based on CVE's content decisions.

In short: the M. Blom HTML::BBCode product produces a "BBCode.pm" that
is included in My Blog, and maybe other products too.  The "BBCode.pm"
from a fixed My Blog, and a fixed HTML::BBCode, is exactly the same.

Since CVE merges issues if they share the same codebase, these 2
products were merged into a single CVE.  See below.

- Steve

Name: CVE-2006-0735
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0735
Announced: 20060213
Flaw: XSS
Reference: BUGTRAQ:20060215 [eVuln] My Blog BBCode XSS Vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/425087/100/0/threaded
Reference: MISC:http://evuln.com/vulns/79/summary.html
Reference: BUGTRAQ:20060215 [eVuln] M. Blom HTML::BBCode perl module XSS Vulnerabilities
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/425113/100/0/threaded
Reference: MISC:http://www.evuln.com/vulns/80/summary.html
Reference: CONFIRM:http://menno.b10m.net/perl/HTML-BBCode/Changes
Reference: CONFIRM:http://menno.b10m.net/perl/dists/HTML-BBCode-1.05.tar.gz
Reference: CONFIRM:http://fuzzymonkey.net/forum/viewtopic.php?t=856
Reference: BID:16659
Reference: URL:http://www.securityfocus.com/bid/16659

Cross-site scripting (XSS) vulnerability in BBcode.pm in M. Blom
HTML::BBCode 1.04 and earlier, as used in products such as My Blog
before 1.65, allows remote attackers to inject arbitray Javascript via
a javascript URI in an (1) img or (2) url BBcode tag.

ABSTRACTION: Blom HTML::BBCode is created as a library, and this
library is clearly used by My Blog, so CD:SF-CODEBASE applies.

ACKNOWLEDGEMENT: Blom HTML::BBCode changelog says "1.05 ... Fixed XSS
bug (Tiket [sic] 17633, 'HTML::BBCode XSS Vulnerabilities') ... Thanks
to Alex for reporting." The e-mail for Aliaksandr Hartsuyeu is
alex at evuln and thus there are mutual references.

ACKNOWLEDGEMENT: My Blog vendor forum post, dated 20060214, says "New
release today. Fixed XXS vulnerability".  This aligns with evuln's
claims.  Also, a source code analysis shows an exact copy of BBCode.pm
in My Blog as in the fixed version of HTML::BBCode 1.05.

More information about the VIM mailing list