I fully agree with your explanation and reason on the JWIG issue. regards
warl0ck // MSG Steven M. Christey wrote: > On Fri, 17 Aug 2007, Pranay Kanwar wrote: > >> Frankly i now feel, that its not SecNiche's fault entirely, it has got a >> lot of encouragement from its past invalid and absurd claims. >> >> Such as >> >> _JWIG Context Dependent Template Calling Denial of Service Vulnerability._ >> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3816 >> http://www.securityfocus.com/bid/24974 >> http://xforce.iss.net/xforce/xfdb/35515 > > I characterized this as a design limitation that could become an issue in > applications that are written using JWIG, not JWIG itself: > > http://seclists.org/fulldisclosure/2007/Jul/0580.html > > Yet nobody followed up on this to dispute my assessment or agree with it. > What is your opinion? > > >> Also i am pretty sure the above links will stay forever and i don't suppose i >> have to explain why. > > The CVEs will remain as a record of a report that was heavily disputed; > unlike other vuln DBs, CVE and OSVDB don't just erase records when an > issue is disputed. We want a provable resolution to such disputes, if one > ever arises. > > - Steve > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/