[VIM] Confirmation (source inspection) of various r0t-discovered
issues
Steven M. Christey
coley at linus.mitre.org
Sun Nov 27 14:58:10 EST 2005
On Sun, 27 Nov 2005, security curmudgeon wrote:
> : It definitely isn't source inspection. Assuming his findings are
>
> Yep, the volume would make that near impossible unless it was a sizable
> team.
I have an extremely crude PHP scanner that nonetheless is effective in
finding blatantly obvious problems, which most PHP apps have...
> I agree. Without source code inspection of the new version and comparing
> with the old, basically impossible to verify it either. Until we get a lot
> more volunteers with coding background, this will likely be a hurdle for
> VDBs.
... and a great argument for why we should work together and share results
;-)
> : One of his XSS examples was hex-encoded, but I wonder if that was just
> : coincidence.
>
> I can't find the URL now, but a few months ago someone posted a page with
> a few dozen XSS variants, designed for cut/paste testing. It would be
> fairly trivial to have two or three standard XSS attempts for easy
> testing.
Good point.
- Steve
More information about the VIM
mailing list