[VIM] PROMS issues - partial clarity in the changelog
jericho at attrition.org
Tue May 24 19:19:48 EDT 2005
: SecurityTracker  reported details for various issues in PROMS
: before 0.11, but the original vendor announcement here:
I caught this via Freshmeat on May 5 and dug into the changelog:
: But the CHANGELOG file, as included in the download for PROMS 0.11,
: has these additional details:
: * Various SQL queries where vulnerable to SQL injections. Fixed. (See also
16716 PROMS Multiple Unspecified SQL Injection May 5, 2005
: * Certain combinations of rights caused users to be granted more rights then
: they should have been. Fixed.
16715 PROMS Unspecified User Rights Logic Flaw May 5, 2005
: * It was possible for non-authorized users to view and modify the list of
: project members. Fixed.
16714 PROMS Project Member List Unauthorized Modification May 5, 2005
: * Todos could be modified by non-authorized users. Fixed.
: * A few places didn't filter out HTML entities correctly. Fixed.
: * Various improvements in the security checks. Many checks depended on
: being the project owner where they should have depended on the individual
: access right. Fixed.
these three entries dont look familiar. i'm wondering if they were added
after i went through the first time. i'll have to look at making entries.
: There are other items in the changelog that might warrant review, but
: these were the interesting ones that I saw.
Also historically, I dug out two more entries:
16713 PROMS Unauthorized Action Link Disclosure Aug 28, 2003
16712 PROMS Unspecified SESSION ID Privilege Escalation Aug 10, 2003
More information about the VIM