[VIM] Recent GForge SQL Injection Vulnerabilities

George A. Theall theall at tenablesecurity.com
Sat Oct 6 03:01:21 UTC 2007

In case anyone's interested, it looks like Bugtraq 25585 / CVE-2007-3913 
on one hand and Bugtraq 25665 / CVE-2007-4966 on the other refer to the 
same issue disclosed by Sumit I. Siddharth as part of Portcullis 
Security Advisory 07-014.

The first pair of ids refer to Debian's DSA 1369-1 advisory, which in 
turn credits Sumit I. Siddharth. Their patch 
(gforge_3.1-31sarge2.diff.gz) is fairly large, but it does fix a SQL 
injection issue in editprofile.php involving the variable $skill_delete. 
And the GForge developers have committed a somewhat different fix for 
the issue on September 6th, as shown here:


It references CVE-2007-3913.


theall at tenablesecurity.com

More information about the VIM mailing list