# I've already sent this to the list once already, but it seems to have got lost somewhere along the way. If it does show up at some point; apologies in advance for the repeat posting.
It's always good to be correct(ness). At the time the research was conducted (August 2003) we obviously looked around for as much information as possible prior to commencing. There were a number of individual MIME issues around, but most were single-product vulnerabilities. If the 3APA3A white paper you refer to was in existence at this time, it was not one we encountered. It has also been recently updated to include the latest information, so I can not comment on its previous content. The Corsaire research project produced test cases for around 200 working attack vectors, that when passed through the top 10 content products produced over 800 individual vulnerabilities (needless to point out that there are a lot more than 10 products in this arena). When we approached Mitre in regard to organising CVE numbers, it was clear that there were far too many issues to allocate individually, so it was agreed to pursue the same route as the SNMP issue from several years ago (http://www.cert.org/advisories/CA-2002-03.html) and group them into manageable chunks; this is what produced the broad category based advisories. The use of the categories then isn't an attempt to assume credit for anyone else's work (if such exists), but to manage the volume of issues identified. In regard to the 3APA3A white paper itself, it is true that there is some overlap with the Corsaire advisory categories. However the actual test cases provided to the vendors (plus unpublished advisories) contain literally dozens of issues that are not documented within the 3APA3A white paper at all. If anyone were to claim that the 3APA3A white paper is in any way complete, fully researched and definitive, it would simply be untrue. Regards, Martin O'Neal Colsaire (chopped cabbage & onion; pirate style) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
