
Vulnerability or Not? Pen Tester Quarrels with Software Maker - wglb
https://www.securityweek.com/vulnerability-or-not-pen-tester-quarrels-software-maker
======
Thespian2
I'm inclined to side with the researcher on this one, just from this quote
from the vendor: "Christiano responded, 'The issue described in the
[SpiderLabs] article is certainly not a vulnerability, it is misuse of the
product.'"

Attackers don't care what is, or isn't "in scope" for your pen test. They will
use what's available. Unauthenticated network services capable of writing
files to get code exec is _bad_.

This doesn't need to be visible on the open internet, what about lateral
movement within the organization?

