CVE-2008-4677 Information

Description

autoload/netrw.vim (aka the Netrw Plugin) 109 131 and other versions before 133k for Vim 7.1.266 other 7.1 versions and 7.2 stores credentials for an FTP session and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host stating \I’m assuming that they’re using the same id and password on that unchanged hostname deliberately.\

Reference

http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6 http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html http://secunia.com/advisories/31464 http://secunia.com/advisories/34418 http://www.mandriva.com/security/advisories?name=MDVSA-2008:236 http://www.openwall.com/lists/oss-security/2008/10/06/4 http://www.openwall.com/lists/oss-security/2008/10/16/2 http://www.openwall.com/lists/oss-security/2008/10/20/2 http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html http://www.securityfocus.com/archive/1/495432 http://www.securityfocus.com/archive/1/495436 http://www.securityfocus.com/bid/30670 http://www.vupen.com/english/advisories/2008/2379 https://bugzilla.redhat.com/show_bug.cgi?id=461750 https://exchange.xforce.ibmcloud.com/vulnerabilities/44419