[VIM] wtf: StylesDemo mod XSS

George A. Theall theall at tenablesecurity.com
Wed Sep 19 20:25:32 UTC 2007

On 09/19/07 13:28, Steven M. Christey wrote:

> The title says "multiple vulns" and the description mentions XSS but
> there's no exploit code or demo URL that actually does XSS.
> To me, this amounts to unactionable rumors from a researcher of
> unknown reliability (or just a cut-and-paste error), so I'm tempted to
> ignore it.  Unless someone else found something?

The XSS attack works because the value for 's' is returned as part of 
the SQL error message. Works for me on a quick and dirty install of 
version 1.0.9.

theall at tenablesecurity.com

More information about the VIM mailing list