Month: March 2008

  • The Purpose of Tracking Numbers.. (IBM)

    [This was originally published on the OSVDB blog.] First it was HP, then it was Sun. Not to be outdone, IBM steps up and gives VDBs a headache. APAR IZ00988 is “sysrouted” to APAR IZ01121 and APAR IZ01122. Really IBM, the amount of information common to all three pages is overwhelming. Do you really need…

  • “high price bug brokering market just isn’t viable”

    [This was originally published on the OSVDB blog.] On January 17, 2007, SnoSoft / Netragard LLC announced a new Exploit Acquisition Program designed to compete with iDefense, TippingPoint and others. Nothing special or different other than the suggestion that they would pay more for high end vulnerabilities. A little over a year later, and they…

  • March 2008 Reviews (I Am Legend, Rescue Dawn, Transformers)

    [This was originally published on attrition.org.] I Am Legend 2007 Jericho I like post-apocolyptic flicks. The idea of large cesspools we call cities being completely wiped of humanity is great. Let the animals run free, let the buildings fade away. Unfortunately, that movie isn’t appealing to the masses without a lone survivor to fight some…

  • Disclosure: IntraLearn 2.1 Multiple Vulnerabilities

    Home 1) Cross-site Scripting (XSS) URL Variables/library/description_link.cfm outline, course/library/courses_catalog.cfm records_to_display, the_start 2) Login Information Cached In Memory The login POST requests for the IntraLearn returns a 200 OK HTTP response code. As long as the browser window is not closed, it is possible for someone to use the browsers “Back” button until the page after…

  • It’s patch xxxday!

    [This was originally published on the OSVDB blog.] A while back, Microsoft announced they were moving to release patches on the second Tuesday of each month, lovingly called Patch Tuesday. Soon after, Oracle announced that they too would be moving to scheduled releases of patches on the Tuesday closest to the 15th day of January,…