[VIM] site redirects: vulnerability or no?

security curmudgeon jericho at attrition.org
Mon Nov 14 18:27:57 EST 2005

: Hi all. First Post.
: I agree that this is a vulnerability.  Are you talking about putting 
: vulnerabile websites into the VDB or just software that implements this 
: redirect?  This is going to get more interesting over time as software 
: with APIs, etc.  moves to become a service such as maps.google.com. I 
: can't imagine putting every website that has this problem in the VDB.

If it is deemed a vulnerability, then an entry would be added based on 
software packages, not web sites. I don't believe any of the databases 
track vulns in web sites really.

If a vuln, then the second question becomes.. one entry for the concept, 
or one entry per package.

And last, why is this a vulnerability in your eyes? One could argue that 
the script is doing exactly what was intended, and the only vulnerability 
is the person who blindly follows a link w/o realizing what they are 
doing. This could also technically make 'TinyURL' a vulnerability since it 
has the same outcome and even better concealment of the target URL.

More information about the VIM mailing list