Month: July 2005

  • OSVDB at DEF CON 13

    [This was originally published on the OSVDB blog.] Several project leaders and OSVDB volunteers will be attending DEF CON 13 later this week. If you would like to meet up, hang out, ask questions or pledge time (booze?!), feel free to track us down. Odds are we will be around the Alexis Park pool during…

  • Zero Day Vulnerabilities – Sell Your Soul?

    [This was originally published on the OSVDB blog.] There have been several Vulnerability Sharing Clubs (VSC) in the past including iDefense, Immunity and others. For those who question this business model, consider Verisign just purchased iDefense for US $40 million. Still not a believer? Consider 3Com/TippingPoint is now offering a new VSC called the Zero…

  • Vuln info from public sources and VDB ‘rules’?

    [This was originally published on the OSVDB blog.] This has come up in the past, and again more recently. Is information found on a vendor website, such as a changelog or bugzilla entry, fair game for inclusion in a vulnerability database? Some vendors seem to think this material is off limits. If a person keeps…

  • Classification Headache: Remote vs Local

    [This was originally published on the OSVDB blog.] http://archives.neohapsis.com/archives/bugtraq/2005-07/0238.html From: Derek Martin (code[at]pizzashack.org)Date: Thu Jul 14 2005 – 21:39:30 CDT The issue has come up on bugtraq before, but I think it is worth raising it again. The question is how to classify attacks against users’ client programs which come from the Internet, e.g. an…

  • ICAT > NVD

    [This was originally published on the OSVDB blog.] Someone brought this to my attention: http://nvd.nist.gov/National Vulnerability Database Welcome to NVD!!NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on the CVE vulnerability naming standard. NVD contains:11708 Vulnerabilities482 US-CERT…

  • Why Vulnerability Databases Can’t Do Everything

    [This was originally published on the OSVDB blog.] https://seclists.org/fulldisclosure/2005/Jul/292 From: Steven M. Christey (coley[at]mitre.org)Date: Fri Jul 15 2005 – 13:35:52 CDT Vulnerability databases and notification services have to pore through approximately 100 new public vulnerability reports a week. Correction: that’s HUNDREDS of reports, from diverse and often unproven sources, for about 100 unique vulnerabilities per…

  • Disclosure: Whois.Cart Multiple Vulnerabilities

    [This was originally published on OSVDB, now gone, and touched up for style. VulnDB 18533, 18534, 18535, 18536] During communication with the vendor of Whois.Cart regarding previous entries, Alexandre Lemaire was very helpful and prompt in providing information for the OSVDB team to resolve outstanding questions. During the communication, a few low concern issues were found.…

  • HTTP Request Smuggling

    [This was originally published on the OSVDB blog.] Last month, Watchfire released a new paper describing “HTTP Request Smuggling” attacks. Since the release of this paper, many products have been found prone to such attacks. Some of these include SunONE Web Server, Oracle Application Server Web Server, IBM WebSphere, BEA WebLogic, Tomcat, Microsoft Internet Information…