[VIM] [Fwd: Speartek XSS vuln.]
security curmudgeon
jericho at attrition.org
Sat Dec 31 01:52:04 EST 2005
: I then did a quick search in OSVDB on "Search Module XSS".... and it
: looks like almost all of them that do not have specific script
: information may actually be site specific vulns and not vulns in
: products... even though he lists version numbers.
:
: We have a policy at OSVDB that we do not add site specific vulns... so I
: would like to determine if these are real vulns in products or just r0t
: finding XSS vulns on company websites.
With his 'search module' vulnerabilities, I have wondered this a few
times. I'm curious if he is slapping some standard XSS code into the
search engine on the main vendor site, then listing the product and
version offered as 'vulnerable' without testing them. It's fairly clear he
isn't downloading half these products (or any), rather he tests demo sites
or the vendor's installation.
The fact that he doesn't include a script name or variable name is
discouraging and really calls into question his ability to find
vulnerabilities.
More information about the VIM
mailing list