[VIM] Blaming product vendors for other vendors' "features"

security curmudgeon jericho at attrition.org
Tue Oct 25 21:20:03 EDT 2005


: How are other VDB's handling situations in which Internet Explorer 
: automatic type detection feature renders HTML in .GIF/.JPG files as if 
: it's HTML?  

So far, we're making seperate entries but I recognized this recently and 
wondered. Before this, the other possibly similar thing that came up was 
some XSS vulns that only occur if the victim uses MSIE.

: Theoretically, every single web application that allows uploads is 
: "vulnerable" - is it really the application vendors' responsibility to 
: work around this "feature"?  From a VDB perspective I don't like the 
: idea of "blaming" the wrong party and/or adding dozens or hundreds of 
: entries for products that don't work around another product's feature.

Ditto, but the obvious problem is isolating exactly what is causing it and 
making it well known. This will help prevent subsequent reports and 
copycat vuln disclosures.



More information about the VIM mailing list