[VIM] Blaming product vendors for other vendors' "features"

security curmudgeon jericho at attrition.org
Thu Oct 27 06:35:37 EDT 2005


: How are other VDB's handling situations in which Internet Explorer 
: automatic type detection feature renders HTML in .GIF/.JPG files as if 
: it's HTML?  Theoretically, every single web application that allows 
: uploads is "vulnerable" - is it really the application vendors' 
: responsibility to work around this "feature"?  From a VDB perspective I 
: don't like the idea of "blaming" the wrong party and/or adding dozens or 
: hundreds of entries for products that don't work around another 
: product's feature.

I revamped our entry for this (OSVDB 20248), now titled "Microsoft IE 
Embedded Content Processing XSS".

I think there was a post prior to this, calling out a certain application 
as vulnerable "only if the person uses IE", but I don't recall what vuln 
it was, or if it was the same issue.


More information about the VIM mailing list