[VIM] Vendor ACK for aoblogger 2.3 issues

Steven M. Christey coley at mitre.org
Sat Apr 15 13:55:54 EDT 2006


(hey osvdb - another victory for generic URLs!)

Researcher: alex at evuln

Issues: CVE-2006-0310, CVE-2006-0311, CVE-2006-0312

Forum post:

  http://mikeheltonisawesome.com/viewcomments.php?idd=46

  Date: Feb 27th 2006 | Subject: Security Fixes!

  I googled aoblogger, and managed to find several websites with info on
  three major security holes, all of which have been fixed in the newest
  version available for download on sourceforge or hotscripts.


In the download, the vendor changelog says:

  Changes in 2.4
  __________________

  Fixed three major security holes. Source is fully secure as of this
  release
  1) XSS attack in create.php
  2) sql injection in BB Code and in login.php


CAVEAT:

These descriptions are slightly inconsistent with CVE's descriptions,
so I took a casual look at the source code, which makes it unclear
whether the issues were properly fixed.  Hard to tell on the surface.

- Steve


More information about the VIM mailing list