• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

    • This community is user driven. Be polite with other users.
    • Is required to purchase a Chevereto license to participate in this community (doesn't apply to Pre-sales).
    • Purchase a Pro Subscription to get access to active software support and faster ticket response times.

Chevereto 1.91 XSS Vulnerability

Status
Not open for further replies.

Rodolfo

👑 Chevereto Godlike
Chevereto Staff
Administrator
Few days ago vulnerabilities affecting 1.91 have been discovered and they have populate the web quite well, in fact... 1.91 is still a pretty wide used script.

The notices can be found here:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2918
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2919
http://xforce.iss.net/xforce/xfdb/75476
http://xforce.iss.net/xforce/xfdb/75477
http://www.securityfocus.com/bid/53448
http://packetstormsecurity.org/file...pt-Cross-Site-Scripting-User-Enumeration.html
http://www.1337day.com/exploits/18234

And yes, they are correct. In fact, NB has more issues than that. I could easily think in 4 or 5 more but they haven't found it yet and to me is pointless to indicate what bugs are because that release is discontinued.

Something that I will like to say is that some of this reports talks about username enumeration and that really don't have any sense. I mean, NB hasn't users or a dB with user->uploads or anything like that so is most likely just a buzz regarding that issue.

The fact is that 1.91 won't be fixed because fixing 1.91 means re-open a discontinued script and rewrite it all. That's is non sense, that is not the way that things works. If someone want to fix NB carry on, is Open Source that means that you don't need me to come and fix it or ask me permission to do it... That is the good thing about being a Open Source script.

So, Chevereto (and I) have officially dropped the offer of Chevereto 1.91 on this site. You can only find this script on google code and use it at your own risk.
 
Status
Not open for further replies.
Back
Top