[VIM] Possible HyperVM vendor dispute - but of severity or existence?
Steven M. Christey
coley at mitre.org
Tue Dec 19 20:01:35 EST 2006
Researcher: Aria (keep reading anyway)
Ref: BUGTRAQ:20061217 HyperVM Cross-Site Scripting
So, there appears to be a dispute, but I'm not sure if the vendor
understands the issue.
front page at http://hypervm.com/ :
"... An XSS issue has been found in hyperVM, but please note that it
is not exploitable, but still, all customers are urged to update
hyperVM to the latest version."
"An XSS problem has been discovered in hyperVM. Please note that it
is not exploitable. We have fixed this in the latest version."
Finally, at http://www.webhostingtalk.com/showthread.php?t=570655 (but
I'm not sure if this is a vendor Rep):
Also I don't know what you mean by legitimate, but this is NOT
exploitable. In fact, we do take a lot of effort to make sure that
lower level clients cannot enter values that can be exploited to
make admin inadvertently commit anything out of the way. It is a bug
in hyperVM, but not a vulnerability.
If you want to see what exactly is an exploitable XSS vulnerability,
you can see here:
The "BUG #1" item in the RS Labs advisory is CSRF, *not* XSS.
So, I'm not sure what they mean by "not exploitable" here. Not
exploitable for CSRF style attacks? The problem doesn't even exist
for basic XSS?
And more importantly - if there's no problem, then what was fixed?
More information about the VIM