[VIM] Web-APP.org feedback on CVE-2007-3242

Steven M. Christey coley at linus.mitre.org
Wed Jun 27 16:12:45 UTC 2007

This was sent to VIM but didn't seem to make it through approval for some
reason.  Jericho, were you mass-deleting VIM spam again? :)

- Steve

Date: Wed, 27 Jun 2007 06:15:19 -0700
From: Web-APP <webapp at web-app.org>
To: Vulnerability Information Managers <vim at attrition.org>
Subject: Re: [VIM] CVE-2007-3242 (fwd)


I exchanged a couple emails with Brian of OSVDB where I mentioned that I
had some details about this and some of the other recently posted CVE
entries on WebAPP. He suggested that I post any relevant details here.

Regarding this specific CVE entry - The Menu Manager System Access issue
was patched by web-app.org's WebAPP v0.9.9.6 of February 2007. It was
reported as being in June which is incorrect.

Web-app.org's Menu Manager patch is a different approach than that
released by .net last week and involves removal of the system command used
for execution of the exploit along with adding filtering on the form
submitted datas. There is further work completed on the menu system for
the next version.

I'm working on the other CVE items and will forward any details I come up
with as I assemble the information.

Jos Brown
WebAPP (c) web-app.org

More information about the VIM mailing list