[VIM] Security Vulnerabilities reported in blur6ex (fwd)

Steven M. Christey coley at linus.mitre.org
Thu Apr 13 13:34:50 EDT 2006

---------- Forwarded message ----------
Date: Thu, 13 Apr 2006 10:45:44 -0400
From: brian
To: Steven M. Christey <coley at mitre.org>
Subject: Re: Security Vulnerabilities reported in blur6ex


Thank you for alerting us about these issues.  We're working on a fix
right now.



Steven M. Christey wrote:
> Hello,
> I am a computer security professional and the editor for the Common
> Vulnerabilities and Exposures (CVE) project.  CVE is a list of
> software vulnerabilities, and it is widely used in the computer
> security industry.  It is sponsored by the US Department of Homeland
> Security.  (http://www.us-cert.gov/cve/, http://cve.mitre.org/)
> Recently, some vulnerabilities in your product were reported to public
> sources.  References include:
>  http://www.securityfocus.com/archive/1/archive/1/430607/100/0/threaded
>  http://www.securityfocus.com/bid/17465
> I downloaded the product and checked for these issues.  The reports
> look legitimate.
> The problem with the "shard" variable looks very serious.  It looks
> like an attacker could use "../" sequences to access any file on the
> system, and use a null character so that extensions other than .php
> can be accessed.  This could then be used to execute arbitrary code.
> Can you confirm the existence of these issues?  Will a fix be made
> available?
> Thank you,
> Steve Christey
> Principal Information Security Engineer
> CVE Editor
> The MITRE Corporation

More information about the VIM mailing list