[VIM] Are we REALLY going to go there?

Stuart Moore smoore at securityglobal.net
Tue May 30 08:57:34 EDT 2006


It may be helpful to ask Nomenumbra to list at least one of the affected 
fields.  Coming from a few separate sources, it may have an impact.

BTW, in very quick testing on the vendor's demo site, the "Name" field 
in the New Vendor function and the "Comments" field under the Edit 
Vendor function are affected.  These are the only two I tried, so 
clearly there is a problem.

Vendor URL is http://www.bctree.com/~assetman/index.htm

Stuart


Steven M. Christey wrote:
> 
> On Tue, 30 May 2006, security curmudgeon wrote:
> 
>> I hate to add these to OSVDB but we definitely should. If nothing else,
>> the vendor will dispute it or someone will do followup like you said.
> 
> There's the third possibility: the claim will get recorded, there will be
> no concrete post-disclosure analysis, and it will stick around one way or
> another.  2005's spring Adobe occurrence coming to mind...  See below for
> a couple examples.
> 
>> That said, a nice rant reminding these 'researchers' would be nice.
> 
> There will always be new researchers who do this.  My rant was gonna be
> about us VDBs making this problem worse by lending an air of legitimacy to
> rumors that can't be verified even if we had all the resources in the
> world.  We can handle r0t disputes because he at least identifies a
> vector.
> 
> whoops :)
> 


More information about the VIM mailing list