[VIM] Are we REALLY going to go there?

security curmudgeon jericho at attrition.org
Tue May 30 03:03:45 EDT 2006


: Ref: BUGTRAQ:20060523 Assetman <= 2.4a XSS
:      http://www.securityfocus.com/archive/1/archive/1/435139/100/0/threaded
: 
: 
: Are VDB's REALLY going to continue to go down this road of recording 
: vague, completely unactionable researcher disclosures without any vendor 
: contact or details on attack vectors or bug types?  (not including 
: post-disclosure analysis that finds the specifics, of course.)
: 
: It's taking all my mental energy to hold back from making a rather 
: unproductive, voluminous rant.

I noticed this from zerogue at gmail.com's postings. They are as vague as 
vendor changelogs, but don't have the benefit of being vendor 
confirmation. In the case above (and others he posted), "doesn't validate 
any of the input" .. i'm sure he tested ALL places of user input too.

I hate to add these to OSVDB but we definitely should. If nothing else, 
the vendor will dispute it or someone will do followup like you said. That 
said, a nice rant reminding these 'researchers' would be nice.


More information about the VIM mailing list