Month: November 2005

  • National Computer Security Day

    [This was originally posted to the OSVDB blog.] November 30th was National Computer Security Day. It came and went .. did you notice? I previously blogged about National Cyber Security Awareness Month, calling into question the value of awareness months of any kind. Awareness days are no different. As William Knowles said, “might have been…

  • Perl Format Strings

    [This was originally published on the OSVDB blog.] Dyad Security announced a new vulnerability in the Webmin miniserv.pl web server component. The perl is vulnerable to a format string bug, which is mostly unseen in perl and quite common in C programs. The post calls this a “a new class of exploitable (remote code) perl…

  • SANS Top 20 Report Value

    [This was originally published on the OSVDB blog.] SANS has released their Top 20 Internet Security Vulnerabilities for 2005. Started in June 2000, “the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities”. The list was designed to help administrators tackle…

  • Google Device Vulnerabilities, EULA and More…

    [This was originally published on the OSVDB blog.] H D Moore recently wrote that he discovered several vulnerabilities in Google Search Appliances. You can find details of these on the Metasploit Vulnerability Page, as well as search OSVDB for the corresponding entries. Normally this wouldn’t be worth posting about, however Moore’s comments on the Google…

  • Disclosure: Barracuda Spam Firewall XSS & Hashed Password Disclosure

    [This was originally published on OSVDB, now gone, and touched up slightly for style. Mirrored on attrition.org. VulnDB 20878 & 20879] From: Jericho jericho@xxxxx.netTo: support(at)barracudanetworks.comCc: netsupport@xxxxx.netDate: Fri, 01 Jul 2005 03:37:18 -0600Subject: Barracuda Spam Firewall Cross Site Scripting (XSS) Vulnerabilities Hello, My ISP uses the Barracuda Networks Spam Firewall, Firmware v3.1.17 (2005-08-06 11:48:38). When editing…

  • Security Advisories, Mail Lists, and You

    [This was originally published on the OSVDB blog.] When a security researcher finds a vulnerability, they may choose to release the details in a formal advisory. The different between a random post to a mail list and an advisory typically involves the level of detail and the amount of peripheral information to the vulnerability. This…

  • Disclosure or Blatant Advertising?

    [This was originally published on the OSVDB blog and re-published on the Sydney Morning Herald.] Security advisories are a form of advertising. First and foremost, they are used to promote the technical capability of a security company and showcase the talent. If a researcher or company was completely altruistic, they would not release an advisory…

  • Advisory Archives 102 (why Mandriva hates VDBs)

    [This was originally posted on the OSVDB blog.] I recently made a post titled Mail List Archives 101 (or why SF hates VDBs) commenting about the restructure of the SecurityFocus mail list archive. In short, it’s a bad thing. Unfortunately for many people, especially vulnerability databases, this is happening more and more, on various sites.…

  • Vulnerability One Trick Pony?

    [This was originally published on the OSVDB blog.] I know the title of this may seem to be a slight on the researches I will use as examples, but that is not the case at all. Some people in the security community have a perception that some vulnerability researchers are so-called “one trick ponies“, meaning…