[VIM] Blaming product vendors for other vendors' "features"
Steven M. Christey
coley at mitre.org
Tue Oct 25 21:06:42 EDT 2005
How are other VDB's handling situations in which Internet Explorer
automatic type detection feature renders HTML in .GIF/.JPG files as if
it's HTML? Theoretically, every single web application that allows
uploads is "vulnerable" - is it really the application vendors'
responsibility to work around this "feature"? From a VDB perspective
I don't like the idea of "blaming" the wrong party and/or adding
dozens or hundreds of entries for products that don't work around
another product's feature.
These fall under a class of vulns that I call "multiple interpretation
errors" in which one product assumes "good" behavior of other products
that don't actually behave. A-V products get hit on these a lot, but
in those cases I think they should share some of the "blame" since
they are supposed to know how the inputs are going to be handled by
Insert comment about Jon Postel's great motto "Be liberal in what you
accept, and conservative in what you send" being an impediment to
Reference: BUGTRAQ:20051022 phpBB 2.0.17 (and other BB systems as well) Cookie disclosure
Reference: FULLDISC:20051022 phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.
Multiple interpretation error in phpBB 2.0.17, with remote avatars and
avatar uploading enabled, allows remote authenticated users to inject
arbitrary web script or HTML via an HTML file with a GIF or JPEG file
extension, which causes the HTML to be executed by a victim who views
the file in Internet Explorer, which renders malformed image types as
HTML, enabling cross-site scripting (XSS) attacks. NOTE: it could be
argued that this vulnerability is due to a design flaw in Internet
Explorer that should not require all web-based applications to work
around; if so, then this should not be treated as a vulnerability in
More information about the VIM