[VIM] CVE-2007-3242 (fwd)
Steven M. Christey
coley at linus.mitre.org
Wed Jun 20 19:50:44 UTC 2007
Remember the web-app.net vs. web-app.org debacle? Here's a little more.
- Steve
---------- Forwarded message ----------
Date: Tue, 19 Jun 2007 15:00:27 -0700 (PDT)
To: cve at mitre.org
Subject: CVE-2007-3242
Hi
Concerning:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3242
This is complete nonsense.
WebAPP (the real one from http://www.web-app.net ) filters it out, it uses
tainting/untainting. Why dont you guys check things before posting this
sort of nonsense? Its not first time you give us at http://www.web-app.net
"credits" for security findings in piratical imitations of our script.
Please check our script version and correct this article.
You will see this:
if ($op eq "Edit") {
untaint_form1($input{'url'});
untaint_form1($input{'title'});
And this:
unless ($input_to_check =~ /^[\w \:\.\/?-]/ ){
error("You entered an invalid character. You may only enter letters,
slashes, numbers, underscores, spaces, periodes, points, questions marks
and hyphens. Kindly try again.");
Thank you
On Elpeleg
Security Team, WebAPP
www.web-app.net
More information about the VIM
mailing list