[VIM] Vendor dispute - Google Custom Search Engine XSS (CVE-2007-3484)

Steven M. Christey coley at linus.mitre.org
Tue Jul 10 18:03:46 UTC 2007


Dispute from the Google security team.  Apparently the original researcher
found an issue in a modified site.  Not sure if other VDBs picked it up.

- Steve


Date: Fri, 6 Jul 2007 15:28:34 -0700
To: cve at mitre.org, coley at rcf-smtp.mitre.org
Subject: Followup to CVE-2007-3484

The Google security team discovered the CVE candidate CVE-2007-3484
and would like to submit the following vendor response.

"This is not a bug in the Google Custom Search Engine
(http://google.com/coop/cse/) product, as Google does not provide the
"search.php" script referenced.  When a user creates a custom search
engine, we provide them with a block of javascript to include on their
site.  Some users write additional code around this block of javascript to
further customize their website.  The three examples provided at
websecurity.com.ua/1050/ are three independent XSS vulnerabilities in
their own respective sites and are not related to Google.

Google is an ardent believer in responsible disclosure, as it helps
protect users from exploitation of security flaws. If you find an issue
with a Google product, please notify us at security at google.com. We
appreciate the efforts of security researchers who have responsibly
disclosed issues in our software; we are happy to thank contributors on
www.google.com/corporate/security.html. "

security at google.com


More information about the VIM mailing list