[VIM] CVE-2006-1854 - Dispute (fwd)

Steven M. Christey coley at linus.mitre.org
Wed May 17 00:29:24 EDT 2006


more on the bluepay dispute, edited to remove identifying information.

Standard "<" and ">" seemed to be stripped, but an onmouseover javascript
event did work.  Does this mean that r0t is testing more interesting
variants?

NOTE - it's a hosted solution.

---------- Forwarded message ----------
Date: Mon, 15 May 2006 11:48:29 -0500
From: Chris Jansen
To: Steven M. Christey <coley at rcf-smtp.mitre.org>
Subject: Re: CVE-2006-1854 - Dispute

Steven,

  Thank you so much for your response!

> The current version is below.  This will be on the CVE web site later
> today, and in NVD shortly thereafter.  We will try to determine the
> validity of the report.
>
> It appears that the researcher did some testing on the following URL:
>
>   https://secure.bluepay.com/login
>
>
> 1) May we test this page for XSS issues?  The tests would be manually done
> in a way that would minimize impact on the server.

You are welcome to test the page for XSS issues.  If you'd like to inform me
before testing, feel free to telephone me at [xyz]

> 2) Is this part of the normal BluePay package that would be available to
> consumers?

https://secure.bluepay.com/login is our login page - it is available to all
customers, yes.

> 3) Is BluePay offered as a separate package to consumers, or is it
> entirely a hosted solution on servers controlled by BluePay?

It is entirely hosted by Bluepay, so any updates to the system affect all
merchants immediately; there are no "copies" in public that would also need
to be updated.

> I hope that we can resolve this issue to everyone's satisfaction.

I hope so as well!  Thank you again for the prompt and courteous reply!

-Chris Jansen


More information about the VIM mailing list