[VIM] Vulnerability fixed in E-gold (fwd)

Steven M. Christey coley at linus.mitre.org
Wed Mar 22 19:49:31 EST 2006


On Wed, 22 Mar 2006, security curmudgeon wrote:

>
> : > I know the VDB's don't track site specific bugs for the most part
>
> OSVDB is fairly sure that tracking them is important, and will do it at
> some point.

Since this thread started, I'm manually recording new issues as they come
across Bugtraq or other CVE sources, but there aren't a lot so far.  You
have a lot more.

> Another big issue. www.example.com is reported as being prone to an XSS or
> SQL injection. The real question is.. is it code they generated, or do
> they use an underlying commercial package that has the vuln? This is
> probably one of the biggest turnoffs for tracking such vulns, especially
> given the lack of detail/research seen in many disclosures.

Makes sense, but we're already seeing this quite a bit even in the
"publicly distributed software" world.  Definitely seems like it would be
much worse in the site-specific world.

- Steve


More information about the VIM mailing list