[VIM] vendor dispute of CVE-2005-3066 (fwd)

[Steven M. Christey]

FYI.

Note that the nature of their dispute is based on stored XSS (e.g.
injection of HTML into static pages or databases).  Their dispute does not
mention reflected XSS (i.e. having a user click on a link which then
causes the XSS to be reflected back to the user), so to my way of
thinking, this might be an erroneous dispute.  I have asked them for
clarification.

- Steve


---------- Forwarded message ----------
Date: Wed, 2 Nov 2005 14:43:51 -0600
From: ScriptSolutions <djm at scriptsolutions.com>
To: cve at mitre.org
Subject: CVE-2005-3066

Dear Sir/Madam,

I am the programmer of PerlDiver, the program which is referenced as a
"candidate" on your site
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3066).
Please note that PerlDiver has never stored user input from the
browser, much less returned that stored data to other users -- actions
crucial to the exploitation of XSS vulnerabilities.  As such,
PerlDiver is incapable of being exploited in this manner.

We consider exploitlabs to be irresponsible and malicious in their
reporting of a completely harmless omission.  We respectfully request
that you remove the advisory from your sites as well as reconsider the
importance of any future exploitlabs submission before permitting
their trivial findings to slander reputable companies.

You may see the details of our response to exploitlabs at
http://www.scriptsolutions.com/support/showflat.pl?Board=PDBugs&Number
=443

Thank you for your consideration.

Best regards,
Jasmine Merced