2006-07-24 14:15:00
By Tim Brown
There's been a fair amount of chatter started by Gadi Evron, both on full-disclosure and other places about the need to disclose Javascript injection vulnerabilities, so I thought I'd run through the thought process behind my disclosure of NDSA20060705.
It's a lame bug, there's no question about it but it's still a bug, and it still hasn't been fixed by the vendor. I think that had it been, there's no way I'd have dropped it on the wires, patches would have come out and Linux distributors (who I'd imagine are the main source of the package) would have picked that up. However given that this isn't the case, I began to research who was using the CGI wrapper and found it in some interesting places. I decided that were I evil I might be able to leverage this bug to compromise other more important applications and thus I published. That being said, I will review disclosures of Javascript injection on a case by case basis, always hoping that the vendor will jump on the case and provide a fix.
Mood: Thoughtful
Music: Something on the juke box
You are unknown, comment