[VIM] Blaming product vendors for other vendors' "features"
jericho at attrition.org
Thu Oct 27 06:35:37 EDT 2005
: How are other VDB's handling situations in which Internet Explorer
: automatic type detection feature renders HTML in .GIF/.JPG files as if
: it's HTML? Theoretically, every single web application that allows
: uploads is "vulnerable" - is it really the application vendors'
: responsibility to work around this "feature"? From a VDB perspective I
: don't like the idea of "blaming" the wrong party and/or adding dozens or
: hundreds of entries for products that don't work around another
: product's feature.
I revamped our entry for this (OSVDB 20248), now titled "Microsoft IE
Embedded Content Processing XSS".
I think there was a post prior to this, calling out a certain application
as vulnerable "only if the person uses IE", but I don't recall what vuln
it was, or if it was the same issue.
More information about the VIM