[VIM] Re: A few more apps vulnerable to PHP XML-RPC exploits (fwd)
Steven M. Christey
coley at linus.mitre.org
Fri Jul 8 13:23:05 EDT 2005
On Fri, 8 Jul 2005, security curmudgeon wrote:
> We're still debating on whether this gets one entry in OSVDB, or gets
> broken out (like CVE appears to be doing).
CVE is doing this by accident because certain applications aren't directly
saying that they're vulnerable to this particular problem, and we've only
just become aware of how much this is being used.
The normal approach in CVE is to assign one identifier per codebase,
regardless of how many applications use it. This obviously has its own
difficulties, especially for people who use CVE to track vulnerabilities
in specific deployed applications in their enterprise. On the other hand,
if someone asks "hey, I've been hearing about this XML-RPC bug, does
product X have it?" they have a better chance of answering that question.
This is one example why CVE is an 80% solution for everybody but not a
100% solution for anybody.
zlib is another good example of a library that's heavily used across many
products.
- Steve
More information about the VIM
mailing list