Chevereto 1.91 XSS Vulnerability

Status
Not open for further replies.

Rodolfo

⭐ Chevereto Godlike
Chevereto Staff
Administrator
Few days ago vulnerabilities affecting 1.91 have been discovered and they have populate the web quite well, in fact... 1.91 is still a pretty wide used script.

The notices can be found here:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2918
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2919
http://xforce.iss.net/xforce/xfdb/75476
http://xforce.iss.net/xforce/xfdb/75477
http://www.securityfocus.com/bid/53448
http://packetstormsecurity.org/file...pt-Cross-Site-Scripting-User-Enumeration.html
http://www.1337day.com/exploits/18234

And yes, they are correct. In fact, NB has more issues than that. I could easily think in 4 or 5 more but they haven't found it yet and to me is pointless to indicate what bugs are because that release is discontinued.

Something that I will like to say is that some of this reports talks about username enumeration and that really don't have any sense. I mean, NB hasn't users or a dB with user->uploads or anything like that so is most likely just a buzz regarding that issue.

The fact is that 1.91 won't be fixed because fixing 1.91 means re-open a discontinued script and rewrite it all. That's is non sense, that is not the way that things works. If someone want to fix NB carry on, is Open Source that means that you don't need me to come and fix it or ask me permission to do it... That is the good thing about being a Open Source script.

So, Chevereto (and I) have officially dropped the offer of Chevereto 1.91 on this site. You can only find this script on google code and use it at your own risk.
 
Status
Not open for further replies.
Top