[VIM] Vendor ACK for aoblogger 2.3 issues
Steven M. Christey
coley at mitre.org
Sat Apr 15 13:55:54 EDT 2006
(hey osvdb - another victory for generic URLs!)
Researcher: alex at evuln
Issues: CVE-2006-0310, CVE-2006-0311, CVE-2006-0312
Date: Feb 27th 2006 | Subject: Security Fixes!
I googled aoblogger, and managed to find several websites with info on
three major security holes, all of which have been fixed in the newest
version available for download on sourceforge or hotscripts.
In the download, the vendor changelog says:
Changes in 2.4
Fixed three major security holes. Source is fully secure as of this
1) XSS attack in create.php
2) sql injection in BB Code and in login.php
These descriptions are slightly inconsistent with CVE's descriptions,
so I took a casual look at the source code, which makes it unclear
whether the issues were properly fixed. Hard to tell on the surface.
More information about the VIM