[VIM] vendor dispute of CVE-2005-3066 (fwd)

[Stuart Moore]

Steve,

This vendor does not understand XSS, stating that it is only a problem 
when a product *stores* information :-(

I confirmed the bug in 2.01.

Perhaps some education is in order ...

Stuart


-- 
Stuart Moore
SecurityTracker.com
SecurityGlobal.net LLC
smoore at securityglobal.net


Steven M. Christey wrote:
> FYI.
> 
> Note that the nature of their dispute is based on stored XSS (e.g.
> injection of HTML into static pages or databases).  Their dispute does not
> mention reflected XSS (i.e. having a user click on a link which then
> causes the XSS to be reflected back to the user), so to my way of
> thinking, this might be an erroneous dispute.  I have asked them for
> clarification.
> 
> - Steve
> 
> 
> ---------- Forwarded message ----------
> Date: Wed, 2 Nov 2005 14:43:51 -0600
> From: ScriptSolutions <djm at scriptsolutions.com>
> To: cve at mitre.org
> Subject: CVE-2005-3066
> 
> Dear Sir/Madam,
> 
> I am the programmer of PerlDiver, the program which is referenced as a
> "candidate" on your site
> (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3066).
> Please note that PerlDiver has never stored user input from the
> browser, much less returned that stored data to other users -- actions
> crucial to the exploitation of XSS vulnerabilities.  As such,
> PerlDiver is incapable of being exploited in this manner.
> 
> We consider exploitlabs to be irresponsible and malicious in their
> reporting of a completely harmless omission.  We respectfully request
> that you remove the advisory from your sites as well as reconsider the
> importance of any future exploitlabs submission before permitting
> their trivial findings to slander reputable companies.
> 
> You may see the details of our response to exploitlabs at
> http://www.scriptsolutions.com/support/showflat.pl?Board=PDBugs&Number
> =443
> 
> Thank you for your consideration.
> 
> Best regards,
> Jasmine Merced
> 
> 
>