[VIM] Codebase relationships between My Blog and M. Blom HTML::BBCode
Steven M. Christey
coley at mitre.org
Fri Feb 17 20:05:55 EST 2006
I ran into this accidentally while reviewing some alex at evuln
advisories. He linked 2 distinct issues to the same CVE, and it turns
out he was right, based on CVE's content decisions.
In short: the M. Blom HTML::BBCode product produces a "BBCode.pm" that
is included in My Blog, and maybe other products too. The "BBCode.pm"
from a fixed My Blog, and a fixed HTML::BBCode, is exactly the same.
Since CVE merges issues if they share the same codebase, these 2
products were merged into a single CVE. See below.
Reference: BUGTRAQ:20060215 [eVuln] My Blog BBCode XSS Vulnerabilities
Reference: BUGTRAQ:20060215 [eVuln] M. Blom HTML::BBCode perl module XSS Vulnerabilities
Cross-site scripting (XSS) vulnerability in BBcode.pm in M. Blom
HTML::BBCode 1.04 and earlier, as used in products such as My Blog
ABSTRACTION: Blom HTML::BBCode is created as a library, and this
library is clearly used by My Blog, so CD:SF-CODEBASE applies.
ACKNOWLEDGEMENT: Blom HTML::BBCode changelog says "1.05 ... Fixed XSS
bug (Tiket [sic] 17633, 'HTML::BBCode XSS Vulnerabilities') ... Thanks
to Alex for reporting." The e-mail for Aliaksandr Hartsuyeu is
alex at evuln and thus there are mutual references.
ACKNOWLEDGEMENT: My Blog vendor forum post, dated 20060214, says "New
release today. Fixed XXS vulnerability". This aligns with evuln's
claims. Also, a source code analysis shows an exact copy of BBCode.pm
in My Blog as in the fixed version of HTML::BBCode 1.05.
More information about the VIM