[VIM] CVE-2008-2991 Adobe RoboHelp - XSS or SQLi?

security curmudgeon jericho at attrition.org
Mon Jan 19 22:05:51 UTC 2009


Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 and 7 
allows remote attackers to inject arbitrary web script or HTML via vectors 
related to the Help Errors log.

BID 30137 calls it SQLi, no mention of XSS. FRSIRT ADV-2008-2026 lists 
both. SecurityTracker 1020442 mentions XSS only. Secunia 31001 mentions 
both XSS and SQLi. OSVDB 46867 is the same as CVE, calling it XSS.

Checking the Adobe bulletin, they mention SQLi and their timeline points 

July 9, 2008  Bulletin updated to include SQL Injection issue

The original research also says SQLi and likely is the original source:



2. Vulnerability Summary

    There exists an SQL injection vulnerability in Adobe RoboHelp Server 
that allows attackers to inject and execute arbitrary SQL statements. The 
SQL would run against the RoboHelp back-end database within the security 
context of the application's database connection.


Recommend updating CVE-2008-2991 to reflect both. I'll be creating an 
additional OSVDB for this issue most likely.

More information about the VIM mailing list