[VIM] vendor dispute: 21878: Polopoly Search Module XSS (fwd)
jericho at attrition.org
Tue Sep 26 17:52:18 EDT 2006
---------- Forwarded message ----------
From: "[iso-8859-1] Jörgen Rydenius"
To: moderators at osvdb.org
Date: Tue, 26 Sep 2006 23:25:46 +0200
Subject: [OSVDB Mods] [Change Request] 21878: Polopoly Search Module XSS
Hi. OSVDB ID 21878 is concerned with "Polopoly Search Module XSS". It is
said to be found in version 9 of the Polopoly product. I have some more
information about this issue:
1. The XSS flaw was only part of the custom implementation of the
http://www.polopoly.com/ site. It was never part of any version of any
Polopoly product, nor delivered to any of Polopoly's customers.
2. The XSS flaw that existed (the search form in the upper right corner) on
the www.polopoly.com site has been fixed.
3. When www.polopoly.com had the XSS flaw it was based on Polopoly 8.6.
Polopoly 9.x was never involved what so ever in this issue. And as I said
earlier, the flaw was not part of Polopoly 8.6 either, it was only in custom
implementation code of the www.polopoly.com site.
4. The www.polopoly.com site is not personalized or permission controlled,
so there was no information of any value to steal by exploiting the XSS
Regards, Jörgen Rydenius
More information about the VIM