[VIM] Vendor dispute of CVE-2006-2184

Steven M. Christey coley at mitre.org
Fri May 12 01:28:49 EDT 2006 

FYI... while d4igoro's web page notes that the vendor disputes this
issue, and this is reflected in the CVE, the vendor has sent email
directly to CVE/NVD saying:

  there is no such hole in our product and we fully claim that our
  product PHPKB Knowledge Base Script is free from any such
  “script attack” hole in it. You can test the script at
  http://www.knowledgebase-script.com/demo/

Having been given their go-ahead to test their demo site, you can
predict what I was able to find out within about 2 minutes.

granted, <abc> and <script> did not work, but...

hint: onmouseover anybody?

oh ok, I'll save you the 30 seconds:

  " onmouseover="javascript:alert('hi')"

Make sure to wave your mouse over the search form.

I'll be sure to pass on their response to this latest finding.

- Steve

P.S. Brian, weren't you gonna write up a "so somebody has found an XSS
and you dispute it" FAQ?  ;-) Or did something have to happen first?


======================================================
Name: CVE-2006-2184
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2184
Acknowledged: unknown discloser-claimed
Announced: 20060502
Flaw: XSS
Reference: MISC:http://d4igoro.blogspot.com/2006/05/phpkb-knowledge-base-xss.html
Reference: FRSIRT:ADV-2006-1628
Reference: URL:http://www.frsirt.com/english/advisories/2006/1628
Reference: SECUNIA:19913
Reference: URL:http://secunia.com/advisories/19913

** DISPUTED **

Cross-site scripting (XSS) vulnerability in search.php in PHPKB
Knowledge Base allows remote attackers to inject arbitrary web script
or HTML via the searchkeyword parameter.  NOTE: the original
researcher claims that the vendor disputed the vulnerability, saying
that only the vendor's own demo page was affected.  On 20060511, the
vendor notified CVE that the dispute was still active.  At the
invitation of the vendor to test the demo site, CVE was able to verify
an XSS javascript event variant in the demo page.


Analysis:

ACKNOWLEDGEMENT: at the top of the researchers page for this
vulnerability he says "pdate: the vendor have informed me that there
is no hole. i only had a look on the online demo. if you want you can
send me a fullversion. :)"

ACCURACY: on 20060510, the vendor emailed a dispute to CVE regarding
this issue, suggesting that CVE could test their demo web site.  CVE
(Christey) quickly found a javascript event XSS variant and notified
the vendor early in 20060511.  As of 20060511, the issue appears to be
legitimate.

More information about the VIM mailing list