[VIM] Legitimate spelling diffs in Claroline report; XSS unfixed?

security curmudgeon jericho at attrition.org
Sun May 8 02:36:28 EDT 2005

: Issue:
:  BUGTRAQ:20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline
:  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111464607103407&w=2
: The reporters list "exercise_result.php" and "exercice_submit.php",
: which might suggest a spelling discrepancy or typo ("exercise"
: vs. "exercice") but the CVS logs for Claroline indicate that this
: discrepancy is legit:
:   http://cvs.claroline.net/cgi-bin/viewcvs.cgi/Claroline010/claroline/exercice/exercise_result.php
:   http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/exercice/exercice_submit.php
: The CVS log for exercise_result.php does not include any recent mods 
: that specifically mention XSS, nor do the changes show typical XSS 
: protections, and yet it is mentioned by the original researchers as an 
: attack vector.  Possibly a library problem?

I had held off splitting this out on OSVDB so I could examine the 
changelog and other vendor information. 

I'll add this to my to-do list and may end up waiting this out a bit more 
until I can find more confirmation.

More information about the VIM mailing list