[VIM] Confirmation (source inspection) of various r0t-discovered
jericho at attrition.org
Sun Nov 27 10:26:54 EST 2005
: It definitely isn't source inspection. Assuming his findings are
Yep, the volume would make that near impossible unless it was a sizable
: > One of the finds had what I took to be vendor confirmation. There was a
: > freshmeat announce for a new version of software that fixed XSS and SQL
: > Injections. It was released a day after r0t's mail to us and secunia (not
: > sure who else he is mailing), was the next logical version, etc.
: I've been burned once or twice by this assumption, so I don't call it
: vendor confirmation unless the original disclosure claimed vendor
: coordination, which is still slightly tenuous, but I think I'm more anal
: about this than most. Coincidences are rare, but they happen.
I agree. Without source code inspection of the new version and comparing
with the old, basically impossible to verify it either. Until we get a lot
more volunteers with coding background, this will likely be a hurdle for
: > See above. I'm guessing based on volume alone, that he is doing no real
: > testing beyond single backticks.
: One of his XSS examples was hex-encoded, but I wonder if that was just
I can't find the URL now, but a few months ago someone posted a page with
a few dozen XSS variants, designed for cut/paste testing. It would be
fairly trivial to have two or three standard XSS attempts for easy
: Yes, the lack of working examples is interesting - sometimes he doesn't
: even include a simple demo URL, although he frequently abstracts them
: out to the relevant scripts and parameters. I like the "[SQL]" and
: other shorthands when researchers use them, but on the other hand it
: hides whether they *really* found SQL injection or if they just provided
: an invalid value that caused a non-injectable SQL error.
Right. That is why I like when they give a sample URL that includes [SQL]
or preferably a single back tick, so we have a better idea of what they
More information about the VIM