[VIM] Generic vs. Specific XSS in phpCodeCabinet 0.4

security curmudgeon jericho at attrition.org
Sun May 22 03:12:23 EDT 2005

: The generic issue probably comes from the changelog here:
:   http://sourceforge.net/project/shownotes.php?release_id=214860

We often get entries from changelogs.. this one was due to the ISS entry 
though, which references the changelog.

: Looks like OSVDB had garnered the CVS diff's for some of these files, 
: namely comments.php (OSVDB:3885), category.php (OSVDB:3886), and 
: input.php (OSVDB:3887).

yep. i dug into the CVS at the time and found those 3 with specific 
mention of security fixes.

: There's also a generic identifier (OSVDB:3920), which points to a 
: generic item from ISS X-Force - phpcodecabinet-multiple-xss(15190) - 
: which in turn points to the previously mentioned changelog. OSVDB:3920 
: also points to Secunia's SA10862, which is also generic, and credits 
: Yao-Wen, which effectively links back to the same changelog.

this is a dupe to the other 3, yep. will remove

: Each of these files has an item in January 2004 that says:
:   Fixed http script injection vulnerabilities.
: Those files are:
:   comments.php
:   category.php
:   input.php
:   browse.php
:   themes/facade/header.php
:   themes/phpcc/header.php

interesting. the night i checked, only the 3 had them. wonder if the other 
3 surfaced a day or two after i made entries..

: So, the infosources that use generic *and* specific entries for 
: phpCodeCabinet 0.4 XSS now have a little more information to work with.

Sure does, thanks for catching this!

More information about the VIM mailing list