[VIM] [Fwd: Speartek XSS vuln.]

security curmudgeon jericho at attrition.org
Sat Dec 31 01:52:04 EST 2005

: I then did a quick search in OSVDB on "Search Module XSS".... and it 
: looks like almost all of them that do not have specific script 
: information may actually be site specific vulns and not vulns in 
: products...  even though he lists version numbers.
: We have a policy at OSVDB that we do not add site specific vulns... so I 
: would like to determine if these are real vulns in products or just r0t 
: finding XSS vulns on company websites.

With his 'search module' vulnerabilities, I have wondered this a few 
times. I'm curious if he is slapping some standard XSS code into the 
search engine on the main vendor site, then listing the product and 
version offered as 'vulnerable' without testing them. It's fairly clear he 
isn't downloading half these products (or any), rather he tests demo sites 
or the vendor's installation.

The fact that he doesn't include a script name or variable name is 
discouraging and really calls into question his ability to find 

More information about the VIM mailing list