[VIM] StaticStore XSS - Vendor disputes, but I dispute the dispute

Steven M. Christey coley at mitre.org
Fri Dec 16 15:49:21 EST 2005


I sent StaticStore a request to acknowledge the XSS issue as reported
by r0t in StaticStore Search Engine 1.189A for search.cgi.

The vendor disputed saying "No, it is not accurate - please show me
proof of the vulnerability.  If your site cannot show proof, I would
appreciate you removing the misinformation from your site.  If this is
not done by the first day of next week I will be forced to contact
both Blogger and ask our attorney to handle this matter."

Since the vendor requested proof, I showed how a basic XSS injection
was possible on the demo site.  I also informed the vendor about how
XSS is number 4 on OWASP's "Top Ten Web Application" vulnerabilities
list, and that best practices - as advocated by the National
Infrastructure Advisory Council's "Vulnerability Disclosure Framework"
- requires a security response contact, which StaticStore did not
have, forcing me to contact a sales address.

I am now patiently awaiting response.

Can anyone else confirm that this issue is real?

- Steve


======================================================
Name: CVE-2005-4284
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4284
Reference: MISC:http://pridels.blogspot.com/2005/12/staticstore-search-engine-friendly-e.html
Reference: BID:15895
Reference: URL:http://www.securityfocus.com/bid/15895
Reference: FRSIRT:ADV-2005-2915
Reference: URL:http://www.frsirt.com/english/advisories/2005/2915
Reference: SECUNIA:18037
Reference: URL:http://secunia.com/advisories/18037

** DISPUTED **

Cross-site scripting (XSS) vulnerability in StaticStore Search Engine
1.189A and earlier allows remote attackers to inject arbitrary web
script or HTML via unspecified parameters to search.cgi, possibly the
keywords parameter.  NOTE: this issue has been disputed by the vendor,
saying "No, it is not accurate - please show me proof of the
vulnerability.  If your site cannot show proof, I would appreciate you
removing the misinformation from your site.  If this is not done by
the first day of next week I will be forced to contact both Blogger
and ask our attorney to handle this matter."  CVE then provided the
vendor with concrete proof that the issue is real.  CVE is now
awaiting a response.




More information about the VIM mailing list