lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <46C54DE5.2010900@metaeye.org>
Date: Fri, 17 Aug 2007 12:57:33 +0530
From: Pranay Kanwar <warl0ck@...aeye.org>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: full-disclosure@...ts.grok.org.uk, "Steven M. Christey" <coley@...re.org>,
	websecurity@...appsec.org
Subject: Re: SecNiche : Microsoft Internet Explorer Pop up
 Blocker Bypassing and Dos Vulnerability

I fully agree with your explanation and reason on the JWIG issue.

regards

warl0ck // MSG

Steven M. Christey wrote:
> On Fri, 17 Aug 2007, Pranay Kanwar wrote:
> 
>> Frankly i now feel, that its not SecNiche's fault entirely, it has got a
>> lot of encouragement from its past invalid and absurd claims.
>>
>> Such as
>>
>> _JWIG Context Dependent Template Calling Denial of Service Vulnerability._
>> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3816
>> http://www.securityfocus.com/bid/24974
>> http://xforce.iss.net/xforce/xfdb/35515
> 
> I characterized this as a design limitation that could become an issue in
> applications that are written using JWIG, not JWIG itself:
> 
>   http://seclists.org/fulldisclosure/2007/Jul/0580.html
> 
> Yet nobody followed up on this to dispute my assessment or agree with it.
> What is your opinion?
> 
> 
>> Also i am pretty sure the above links will stay forever and i don't suppose i
>> have to explain why.
> 
> The CVEs will remain as a record of a report that was heavily disputed;
> unlike other vuln DBs, CVE and OSVDB don't just erase records when an
> issue is disputed.  We want a provable resolution to such disputes, if one
> ever arises.
> 
> - Steve
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ