[VIM] OpenWiki (CVE-2006-2473) dispute
Steven M. Christey
coley at linus.mitre.org
Tue Sep 16 00:17:59 UTC 2008
Dispute by the owner of a web site who has talked to the developer:
http://www.openwiki.com/ow.asp?OpenWikiVulnerability
http://www.openwiki.com/ow.asp?XssVulnerability
I didn't investigate too closely, but the original disclosure by
LiNuX_rOOt was rather brief and didn't include the specific XSS pattern
that triggered the issue. I don't remember that researcher's reliability.
- Steve
======================================================
Name: CVE-2006-2473
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2473
Reference: BUGTRAQ:20060517 OpenWiki<--v0.78 Cross-Site Scripting
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/434295/100/0/threaded
Reference: MISC:http://www.openwiki.com/ow.asp?OpenWikiVulnerability
Reference: MISC:http://www.openwiki.com/ow.asp?XssVulnerability
Reference: BID:18013
Reference: URL:http://www.securityfocus.com/bid/18013
Reference: SREASON:920
Reference: URL:http://securityreason.com/securityalert/920
Reference: XF:openwiki-ow-xss(26517)
Reference: URL:http://xforce.iss.net/xforce/xfdb/26517
** DISPUTED **
Cross-site scripting (XSS) vulnerability in ow.asp in OpenWiki 0.78
allows remote attackers to inject arbitrary web script or HTML via the
p parameter. NOTE: this issue has been disputed by the vendor and a
third party who is affiliated with the product. The vendor states
"You cannot insert code in a wikipage or via URL parameters as they
are all escaped before usage, so nothing can be compromised at other
sites."
More information about the VIM
mailing list