[VIM] CVE-2006-1854 (Bluepay) vendor dispute

Stuart Moore smoore at securityglobal.net
Fri May 12 23:57:17 EDT 2006


Oh, and there is also this problem:

https://secure.bluepay.com/login?NURL="<i>test</i>

And this is all before you enter the front door ...

Stuart



Stuart Moore wrote:
> Steve,
> 
> The script seems to remove the greater than and less than characters. 
> But, your onmouseover example from the previous dispute works just fine 
> in the username field:
> 
> " onmouseover="javascript:alert('hi')"
> 
> :-)
> 
> Stuart
> 
> 
> Steven M. Christey wrote:
>> Following the traditional Friday dispute pattern...  I have not
>> investigated yet.
>>
>> a r0t production.
>>
>> - Steve
>>
>>
>> ---------- Forwarded message ----------
>> Date: Fri, 12 May 2006 15:54:11 -0500
>> From: Chris Jansen
>> To: cve at mitre.org
>> Cc: nvd at nist.gov
>> Subject: CVE-2006-1854 - Dispute
>>
>> To Whom it May Concern,
>>
>>   As an authorized representative of Bluepay, Inc, as well as the primary
>> programmer on the Bluepay staff, I'd like to formally dispute 
>> CVE-2006-1854,
>> which reads as follows:
>>
>> "Multiple cross-site scripting (XSS) vulnerabilities in BluePay 
>> Manager 2.0
>> and earlier allow remote attackers to inject arbitrary web script or HTML
>> during a login action via the (1) Account Name and (2) Username field."
>>
>> Reference: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1854
>>
>> I doubt this vulnerability ever existed, but assuming it did exist at 
>> some
>> point, it does not exist currently in the Bluepay 2.0 product.
>>
>> Please let me know what steps I can take next to have this entry 
>> listed as
>> vendor-disputed, or outright incorrect information.
>>
>> -Chris Jansen
>> 630-723-4093
>>
>> Senior Analyst
>> Bluepay, Inc
>> 184 N Shuman Blvd
>> Naperville, IL 60563
>>
> 


More information about the VIM mailing list