[VIM] Re: A few more apps vulnerable to PHP XML-RPC exploits (fwd)
jericho at attrition.org
Fri Jul 8 19:10:39 EDT 2005
: > We're still debating on whether this gets one entry in OSVDB, or gets
: > broken out (like CVE appears to be doing).
: CVE is doing this by accident because certain applications aren't
: directly saying that they're vulnerable to this particular problem, and
: we've only just become aware of how much this is being used.
: The normal approach in CVE is to assign one identifier per codebase,
: regardless of how many applications use it. This obviously has its own
: difficulties, especially for people who use CVE to track vulnerabilities
: in specific deployed applications in their enterprise. On the other
: hand, if someone asks "hey, I've been hearing about this XML-RPC bug,
: does product X have it?" they have a better chance of answering that
: question. This is one example why CVE is an 80% solution for everybody
: but not a 100% solution for anybody.
Right. I certainly see value in breaking it out by product, especially
when implementations may vary a bit or there are other mitigating
circumstances that are product/vendor specific.
: zlib is another good example of a library that's heavily used across
: many products.
Yah, these two vulns (zlib/xmlrpc) are fairly nasty due to that alone.
More information about the VIM