[VIM] Possible HyperVM vendor dispute - but of severity or existence?
Steven M. Christey
coley at mitre.org
Tue Dec 19 20:01:35 EST 2006
Researcher: Aria (keep reading anyway)
Ref: BUGTRAQ:20061217 HyperVM Cross-Site Scripting
URL:http://www.securityfocus.com/archive/1/archive/1/454704/100/0/threaded
So, there appears to be a dispute, but I'm not sure if the vendor
understands the issue.
front page at http://hypervm.com/ :
"... An XSS issue has been found in hyperVM, but please note that it
is not exploitable, but still, all customers are urged to update
hyperVM to the latest version."
http://forum.lxlabs.com/index.php?t=msg&goto=2425&S=664ae54d462254873a6f4a0aed07acf1
"An XSS problem has been discovered in hyperVM. Please note that it
is not exploitable. We have fixed this in the latest version."
Finally, at http://www.webhostingtalk.com/showthread.php?t=570655 (but
I'm not sure if this is a vendor Rep):
Also I don't know what you mean by legitimate, but this is NOT
exploitable. In fact, we do take a lot of effort to make sure that
lower level clients cannot enter values that can be exploited to
make admin inadvertently commit anything out of the way. It is a bug
in hyperVM, but not a vulnerability.
If you want to see what exactly is an exploitable XSS vulnerability,
you can see here:
http://www.rs-labs.com/adv/RS-Labs-Advisory-2006-1.txt
The "BUG #1" item in the RS Labs advisory is CSRF, *not* XSS.
So, I'm not sure what they mean by "not exploitable" here. Not
exploitable for CSRF style attacks? The problem doesn't even exist
for basic XSS?
And more importantly - if there's no problem, then what was fixed?
- Steve
More information about the VIM
mailing list