[VIM] CVE-2008-6157 / Milw0rm 7613

Steven M. Christey coley at linus.mitre.org
Fri Feb 20 22:58:11 UTC 2009


We've started flagging cleartext storage of sensitive data as a separate
vulnerability, although we're not always consistent on this.  I'm also
pretty fearful of inadvertently doubling our work for every SQL injection.
If programmers aren't ensuring that the "id" parameter is a number, I'd
suspect they're also storing passwords in cleartext in the database :-/

Anyway, in this case, the phrase "In Plaintext" was mentioned in the
milw0rm.  One of our CVE analysts downloaded the product and saw that this
cleartext password storage was in data/classifieds.mdb.  Since a new CVE
was already in order, the .MDB mention was just a detail arising from our
additional research.

Sorry I didn't post a clarification to VIM when we released it.

- Steve

More information about the VIM mailing list