[VIM] CVE-2009-2533

Carsten H. Eiram che at secunia.com
Wed Jul 29 08:33:55 UTC 2009

When analysing this vulnerability we noticed that the NULL pointer
dereference error does actually not occur because the
"DataConvertBuffer" property is empty, but instead because the provided
PoC includes a "DataConvertBuffer" property, but no "Content-Length"

Any SET_PARAMETER request containing a "DataConvertBuffer" property (not
necessarily empty) and either no "Content-Length" header or an invalid
one triggers the NULL pointer dereference error.

Our advisory, SA35815, contains a bit more information.


Med venlig hilsen / Kind regards

Carsten H. Eiram
Chief Security Specialist

Weidekampsgade 14 A
DK-2300 Copenhagen S

Phone  +45 7020 5144
Fax    +45 7020 5145

More information about the VIM mailing list