The weather has been very windy lately. Some people in the neighborhood put out their garbage and don't put a tight lid on the trash can. Of course, the trash blows down the street and into other yards. Now a few of the people in the neighborhood do not see this as a big problem. After all their yard looks fine, and their trash is gone. The president of the homeowners association has been sending out emails to remind people to put a tight lid on their trash cans.
Software vendors or application providers sometimes have the same attitude when you report a cross site scripting or HTTP response splitting issue. The reaction seems to be "How does this affect me"?
These types of vulnerabilities do not directly affect the application that is creating the issue, but they impact the reputation of the whole community, because a person is launching an attack based on the reputation of the web site. The manager of the web server needs to operate as a community manager and police the site.
If you look at the SANS top cyber security risks for 2009, you will see cross-site scripting at the top of the list. The WASC Web Application security statistics show HTTP response splitting near the top of the list, along with cross-site scripting and SQL injection.
The root cause of many of these vulnerabilities is due to software developers setting HTTP headers, such as cookies and redirects, from unvalidated user input. An HTTP header is like a trash can lid. If you don't keep a tight lid on HTTP headers, then garbage will be blown all over the community.