[VIM] Vendor ACK for aoblogger 2.3 issues

Steven M. Christey coley at mitre.org
Sat Apr 15 13:55:54 EDT 2006

(hey osvdb - another victory for generic URLs!)

Researcher: alex at evuln

Issues: CVE-2006-0310, CVE-2006-0311, CVE-2006-0312

Forum post:


  Date: Feb 27th 2006 | Subject: Security Fixes!

  I googled aoblogger, and managed to find several websites with info on
  three major security holes, all of which have been fixed in the newest
  version available for download on sourceforge or hotscripts.

In the download, the vendor changelog says:

  Changes in 2.4

  Fixed three major security holes. Source is fully secure as of this
  1) XSS attack in create.php
  2) sql injection in BB Code and in login.php


These descriptions are slightly inconsistent with CVE's descriptions,
so I took a casual look at the source code, which makes it unclear
whether the issues were properly fixed.  Hard to tell on the surface.

- Steve

More information about the VIM mailing list