Javier Fernandez-Sanguino jfernandez at germinus.com
Fri Aug 12 03:47:25 EDT 2005

Curphey, Mark wrote:
> If it doesn't have a vulnerability why is it a security issue ? If it
> reveals information then that's a vulnerability.  

Actually that last statement is not always true. It actually depends 
on the company's security policy. In CVE terminology, 
information-disclosing stuff is considered "exposures", see 

In any case, it seems we agree on this issue. If there's some value to 
what you find through unreferenced files you should note it. Notice, 
however, that the value of the information revealed might not be 
associated with the application service itself but might impact in 
other services unrelated to it. That's what I wanted to stress out.



More information about the Owasp-testing mailing list