[VIM] Confirmation (source inspection) of various r0t-discovered issues

Steven M. Christey coley at linus.mitre.org
Sun Nov 27 14:58:10 EST 2005

On Sun, 27 Nov 2005, security curmudgeon wrote:

> : It definitely isn't source inspection.  Assuming his findings are
> Yep, the volume would make that near impossible unless it was a sizable
> team.

I have an extremely crude PHP scanner that nonetheless is effective in
finding blatantly obvious problems, which most PHP apps have...

> I agree. Without source code inspection of the new version and comparing
> with the old, basically impossible to verify it either. Until we get a lot
> more volunteers with coding background, this will likely be a hurdle for
> VDBs.

... and a great argument for why we should work together and share results

> : One of his XSS examples was hex-encoded, but I wonder if that was just
> : coincidence.
> I can't find the URL now, but a few months ago someone posted a page with
> a few dozen XSS variants, designed for cut/paste testing. It would be
> fairly trivial to have two or three standard XSS attempts for easy
> testing.

Good point.

- Steve

More information about the VIM mailing list