[VIM] Regarding Web-APP.org WebAPP CVE Entry Details

Web-APP webapp at web-app.org
Thu Jun 28 19:19:33 UTC 2007


That last record in my previous email got a little too much pasted in, for the versions affected. Should be:

 CVE-2007-3424 - "tocat" in move Instant Messages parameter - Must be from
referenced thread note "Instant messages move "to" folder set hard coded
value instead of using query string value." Not good to use user input for
destination folder name, albeit there is a filter on traversal. Was not
necessary to use this field since there is only one folder to which messages
can be moved at this time. Affected: web-app.org WebAPP v0.9.9.3,,,,, and, and; web-app.net WebAPP
NE v0.,; web-app.net WebAPP NE 2007 through at least
20070624. Addressed by web-app.org WebAPP v0.9.9.7.

There was no Instant Message Move feature prior to WebAPP v0.9.9.3.

Sorry about that.

Jos Brown
WebAPP (c) web-app.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.attrition.org/pipermail/vim/attachments/20070628/0c6d539f/attachment.html 

More information about the VIM mailing list