[VIM] wtf: StylesDemo mod XSS
George A. Theall
theall at tenablesecurity.com
Wed Sep 19 20:25:32 UTC 2007
On 09/19/07 13:28, Steven M. Christey wrote:
> The title says "multiple vulns" and the description mentions XSS but
> there's no exploit code or demo URL that actually does XSS.
>
> To me, this amounts to unactionable rumors from a researcher of
> unknown reliability (or just a cut-and-paste error), so I'm tempted to
> ignore it. Unless someone else found something?
The XSS attack works because the value for 's' is returned as part of
the SQL error message. Works for me on a quick and dirty install of
version 1.0.9.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list