[VIM] site redirects: vulnerability or no?
jericho at attrition.org
Mon Nov 14 18:27:57 EST 2005
: Hi all. First Post.
: I agree that this is a vulnerability. Are you talking about putting
: vulnerabile websites into the VDB or just software that implements this
: redirect? This is going to get more interesting over time as software
: with APIs, etc. moves to become a service such as maps.google.com. I
: can't imagine putting every website that has this problem in the VDB.
If it is deemed a vulnerability, then an entry would be added based on
software packages, not web sites. I don't believe any of the databases
track vulns in web sites really.
If a vuln, then the second question becomes.. one entry for the concept,
or one entry per package.
And last, why is this a vulnerability in your eyes? One could argue that
the script is doing exactly what was intended, and the only vulnerability
is the person who blindly follows a link w/o realizing what they are
doing. This could also technically make 'TinyURL' a vulnerability since it
has the same outcome and even better concealment of the target URL.
More information about the VIM