Category: InfoSec

  • Disclosure: Valdersoft Shopping Cart common.php Direct Request Path Disclosure

    [This was originally published on the VIM mail list. VulnDB 32388] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-6691 Since the product isn’t free, I was checking to see if the three different common.php files mentioned were all the same, or attempt to determine it via the demo on the vendor’s web site. When loading them, one only yields a blank page…

  • State of vulnerability research?

    [This was originally published on the OSVDB blog.] Steve Christey of CVE has posted to several lists asking What is the state of vulnerability research? Before you dismiss the question, give it serious thought for a few minutes. Have any ideas, opinions or concerns about where vuln research is heading? Where it should be? Drop…

  • The Rise of the Fuzzers

    [This was originally published on the OSVDB blog.] Fuzzers are by no means new. They have been used fairly extensively the last half decade to find a number of vulnerabilities. Back in July 2001 we saw an LDAP protocol fuzzer find issues in a variety of products. February 2003 saw SIP fuzzed, January 2004 was…

  • Why VDBs > AV Industry

    [This was originally published on the OSVDB blog.] Remember the recent Microsoft Windows WMF vulnerability that made news? You know, the “Shimgvw.dll SETABORTPROC function crafted WMF arbitrary code execution” issue? This was assigned OSVDB 21987, CVE 2005-4560, CERT VU 181038, BID 16074, FRSIRT ADV-2005-3086, OVAL 1433, SECTRACK 1015416, and Secunia 18255. While the vulnerability has…

  • OSVDB ThreatRiskWarnFUD Level 6.32

    [This was originally published on the OSVDB blog.] While chatting with a journalist about risks and ratings. I think the conversation started with a discussion on CVSS, but moved on to more general risk ratings. This lead me to wonder about the usefulness of Internet risk/threat ratings that some security companies maintain. Does anyone use…

  • A Word on Solutions (We Won’t Tell)

    [This was originally published on the OSVDB blog.] From time to time, vendors will contact OSVDB to notify us of solutions to vulnerabilities included in the database. These are almost always very professional mails, usually polite, and sometimes include all the details we need/want. These mails may say something along the lines of “we have…

  • For Journalists Covering Oracle…

    [This was originally published on the OSVDB blog.] 2004-08-04: 34 flaws found in Oracle database software2004-09-03: US gov and sec firms warn of critical Oracle flaws2004-10-15: Oracle Warns of Critical Exploits2005-01-20: Oracle Patch Fixes 23 ‘Critical’ Vulnerabilities2005-10-19: Oracle fixes bugs with mega patch2006-01-18: Oracle fixes pile of bugs In the interest of helping journalists cover…

  • A Time to Patch

    [This was originally published on the OSVDB blog.] http://blogs.washingtonpost.com/securityfix/2006/01/a_timeline_of_m.html Brian Krebs has a fantastic post on his blog covering the time it takes for Microsoft to release a patch, and if they are getting any better at it. Here are a few relevant paragraphs from it, but I encourage you to read the entire article.…

  • DHS & Your Tax Dollars

    [This was originally published on the OSVDB blog.] Full Article Through its Science and Technology Directorate, the department has given $1.24 million in funding to Stanford University, Coverity and Symantec to hunt for security bugs in open-source software and to improve Coverity’s commercial tool for source code analysis, representatives for the three grant recipients told…

  • 2005 CVE Program FOIA Results

    2005 CVE Program FOIA Results

    I submitted a Freedom of Information Act (FOIA) request to the Department of Homeland Security (DHS) on February 8, 2005, asking for funding information for the Common Vulnerability Enumeration (CVE) program run by MITRE. I eventually received a lengthy document that had the information I had requested, and a lot more. My FOIA request: I…