[VIM] site redirects: vulnerability or no?
Chris Wysopal
weld at vulnwatch.org
Mon Nov 14 19:42:08 EST 2005
On Mon, 14 Nov 2005, security curmudgeon wrote:
> If a vuln, then the second question becomes.. one entry for the concept,
> or one entry per package.
>
> And last, why is this a vulnerability in your eyes? One could argue that
> the script is doing exactly what was intended, and the only vulnerability
> is the person who blindly follows a link w/o realizing what they are
> doing. This could also technically make 'TinyURL' a vulnerability since it
> has the same outcome and even better concealment of the target URL.
To pull off a convincing phishing attack you need to put a few pieces
together. Having an URL that looks legit is just one part. TinyURLs
don't look legit. But think about something that said click here for the
latest microsoft download and the url was
http://www.microsoft.com/something?www.sitename.com/foobar.exe
I bet Microsoft would want to fix that if notified.
Just because it is a vulnerability doesn't mean it makes sense to track it
in the VDB. At some point a vulnerability gets so minor no one really
cares, such as many information disclosure issues. I think this one falls
below the level of tracking.
-Chris
More information about the VIM
mailing list