[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] posting xss notifications in sites vs software packages

To: b <b@xxxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] posting xss notifications in sites vs software packages
From: Packet Storm <fulldis@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 8 Feb 2012 15:37:15 +0000

On Tue, Feb 07, 2012 at 06:18:24PM -0500, b wrote:
> What is the point of posting notifications of XSS vulnerabilities in
> specific web sites instead of alerts of xss vulns in specific software
> packages?
> 
> This question was prompted by all the postings by that vulnerability lab
> stuff.

In some cases, a cross site scripting vulnerability in a given site can affect 
a large user base and the code is custom to the business.  As an example, a 
cross site scripting issue in gmail is probably more catastrophic than a cross 
site scripting vuln in some half-rate CMS.  Not to mention there's the other 
situation where small website design shops repackage other open source code, 
brand it as part of their offering, and never provide updates to their 
customers.  The Internet is a mess.  $0.02

-Todd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] posting xss notifications in sites vs software packages
  - From: Info

References:
- [Full-disclosure] posting xss notifications in sites vs software packages
  - From: b

Prev by Date: Re: [Full-disclosure] posting xss notifications in sites vs software packages
Next by Date: [Full-disclosure] Netbeans Jira Plugin does not check https certificates
Previous by thread: Re: [Full-disclosure] posting xss notifications in sites vs software packages
Next by thread: Re: [Full-disclosure] posting xss notifications in sites vs software packages
Index(es):
- Date
- Thread