[VIM] CVE-2008-2991 Adobe RoboHelp - XSS or SQLi?
security curmudgeon
jericho at attrition.org
Mon Jan 19 22:05:51 UTC 2009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2991
Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 and 7
allows remote attackers to inject arbitrary web script or HTML via vectors
related to the Help Errors log.
BID 30137 calls it SQLi, no mention of XSS. FRSIRT ADV-2008-2026 lists
both. SecurityTracker 1020442 mentions XSS only. Secunia 31001 mentions
both XSS and SQLi. OSVDB 46867 is the same as CVE, calling it XSS.
Checking the Adobe bulletin, they mention SQLi and their timeline points
out:
July 9, 2008 Bulletin updated to include SQL Injection issue
The original research also says SQLi and likely is the original source:
http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0092.html
[..]
2. Vulnerability Summary
There exists an SQL injection vulnerability in Adobe RoboHelp Server
that allows attackers to inject and execute arbitrary SQL statements. The
SQL would run against the RoboHelp back-end database within the security
context of the application's database connection.
[..]
Recommend updating CVE-2008-2991 to reflect both. I'll be creating an
additional OSVDB for this issue most likely.
More information about the VIM
mailing list