[VIM] vendor dispute of CVE-2005-3066 (fwd)

Stuart Moore smoore at securityglobal.net
Wed Nov 2 20:12:17 EST 2005


This vendor does not understand XSS, stating that it is only a problem 
when a product *stores* information :-(

I confirmed the bug in 2.01.

Perhaps some education is in order ...


Stuart Moore
SecurityGlobal.net LLC
smoore at securityglobal.net

Steven M. Christey wrote:
> FYI.
> Note that the nature of their dispute is based on stored XSS (e.g.
> injection of HTML into static pages or databases).  Their dispute does not
> mention reflected XSS (i.e. having a user click on a link which then
> causes the XSS to be reflected back to the user), so to my way of
> thinking, this might be an erroneous dispute.  I have asked them for
> clarification.
> - Steve
> ---------- Forwarded message ----------
> Date: Wed, 2 Nov 2005 14:43:51 -0600
> From: ScriptSolutions <djm at scriptsolutions.com>
> To: cve at mitre.org
> Subject: CVE-2005-3066
> Dear Sir/Madam,
> I am the programmer of PerlDiver, the program which is referenced as a
> "candidate" on your site
> (http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3066).
> Please note that PerlDiver has never stored user input from the
> browser, much less returned that stored data to other users -- actions
> crucial to the exploitation of XSS vulnerabilities.  As such,
> PerlDiver is incapable of being exploited in this manner.
> We consider exploitlabs to be irresponsible and malicious in their
> reporting of a completely harmless omission.  We respectfully request
> that you remove the advisory from your sites as well as reconsider the
> importance of any future exploitlabs submission before permitting
> their trivial findings to slander reputable companies.
> You may see the details of our response to exploitlabs at
> http://www.scriptsolutions.com/support/showflat.pl?Board=PDBugs&Number
> =443
> Thank you for your consideration.
> Best regards,
> Jasmine Merced

More information about the VIM mailing list