[VIM] Blaming product vendors for other vendors' "features"
Sullo
sullo at cirt.net
Tue Oct 25 21:34:43 EDT 2005
security curmudgeon wrote:
>: How are other VDB's handling situations in which Internet Explorer
>: automatic type detection feature renders HTML in .GIF/.JPG files as if
>: it's HTML?
>
>So far, we're making seperate entries but I recognized this recently and
>wondered. Before this, the other possibly similar thing that came up was
>some XSS vulns that only occur if the victim uses MSIE.
>
>
Well, I read the info that sparked this and decided that it's an IE
problem, not a particular web app. So I'd argue it should be listed as a
flaw in IE, not in the products that store and send the image file as an
"image."
After all... the list of products impacted by this is probably
everything out there that gets/stores/displays an image--even if they
are doing (some) verification... but the root "problem" is that IE does
something it probably shouldn't.
-Sullo
--
http://www.cirt.net/ | http://www.osvdb.org/
More information about the VIM
mailing list