[VIM] Vendor dispute of Lighthouse CMS XSS (CVE-2005-4780)
jericho at attrition.org
Mon Apr 17 23:53:33 EDT 2006
: I concur with the vendor. Interestingly, the vendor says how OSVDB also
: reported this issue, but it doesn't seem like they contacted OSVDB...
: Name: CVE-2005-4780
: URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4780
: Reference: MISC:http://www.lighthouse-cms.de/en/news/
Hah, this is amusing. Copying here for archiving =)
Alleged Security Issue in Lighthouse
On February 10, 2006 it has been brought to our attention that the web
page pridels.blogspot.com claims to have found a security issue regarding
Lighthouse on December 18, 2005. Under
http://pridels.blogspot.com/2005/12/lighthouse-cms-xss-vuln.html it is
being claimed that Lighthouse is supposedly susceptible to client-side
We wish to inform you that this notification is false: The allegation is
lacking any basis. The Lighthouse Content Management System is not, and
never has been, susceptible to attacks like this and does not exhibit any
known security issues in this or any other way. In our opinion, security
warnings concerning software products have to be taken very seriously;
this, however, requires that security warnings are verified diligently
before being made public.
We regret how carelessly this has been handled by pridels.blogspot.com and
wish to point out the following:
* We have not, neither before nor after the publication mentioned
above, been informed of this alleged security issue.
* Other web pages, e.g.
http://www.osvdb.org/displayvuln.php?osvdb_id=21852, have copied the false
statement without further verification and describe the alleged issue like
this: "This flaw exists because the application does not validate the
'search' variable upon submission to the 'index.php' script." This
statement is absurd, because Lighthouse does not in any way make use of
the PHP technology.
* The Lighthouse Content Management System is an application server,
providing the user with powerful functionality to create, program and
manage web-based applications. A technology like this cannot be
susceptible to client-side cross-site-scripting-attacks on its own, but
only applications created based on such a technology. This does not only
apply to Lighthouse, but also to Perl, PHP or web applications based on
Java Servlet technology.
More information about the VIM