[VIM] Confirmation (source inspection) of various r0t-discovered issues

security curmudgeon jericho at attrition.org
Sun Nov 27 10:26:54 EST 2005 

: It definitely isn't source inspection.  Assuming his findings are

Yep, the volume would make that near impossible unless it was a sizable 
team.

: > One of the finds had what I took to be vendor confirmation. There was a
: > freshmeat announce for a new version of software that fixed XSS and SQL
: > Injections. It was released a day after r0t's mail to us and secunia (not
: > sure who else he is mailing), was the next logical version, etc.
: 
: I've been burned once or twice by this assumption, so I don't call it 
: vendor confirmation unless the original disclosure claimed vendor 
: coordination, which is still slightly tenuous, but I think I'm more anal 
: about this than most.  Coincidences are rare, but they happen.

I agree. Without source code inspection of the new version and comparing 
with the old, basically impossible to verify it either. Until we get a lot 
more volunteers with coding background, this will likely be a hurdle for 
VDBs.

: > See above. I'm guessing based on volume alone, that he is doing no real
: > testing beyond single backticks.
: 
: One of his XSS examples was hex-encoded, but I wonder if that was just 
: coincidence.

I can't find the URL now, but a few months ago someone posted a page with 
a few dozen XSS variants, designed for cut/paste testing. It would be 
fairly trivial to have two or three standard XSS attempts for easy 
testing.

: Yes, the lack of working examples is interesting - sometimes he doesn't 
: even include a simple demo URL, although he frequently abstracts them 
: out to the relevant scripts and parameters.  I like the "[SQL]"  and 
: other shorthands when researchers use them, but on the other hand it 
: hides whether they *really* found SQL injection or if they just provided 
: an invalid value that caused a non-injectable SQL error.

Right. That is why I like when they give a sample URL that includes [SQL] 
or preferably a single back tick, so we have a better idea of what they 
tested.

More information about the VIM mailing list