Tag: Bugtraq

  • Saving Bugtraq

    In July of 2019, many noticed that the Bugtraq mail list stopped having posts approved, including Art Manion at CERT. Since there are many other outlets for vulnerability disclosure, such as the Full-Disclosure mail list, Packetstorm, Exploit Database, and increasingly on GitHub, it didn’t receive much attention. It wasn’t like the days when the list…

  • Perlroth & The First (Zero-Day) Broker

    I am currently reading “This Is How They Tell Me The World Ends” by Nicole Perlroth, only on page 60 in Chapter 5, so a long ways to go before completing the 471 page tome. I hit chapter 4, titled “The First Broker” and it was of specific interest to me for sure, prompting this…

  • Your yearly reminder to post to Full-Disclosure, not Bugtraq

    [This was originally published on the OSVDB blog.] [10/29/2020 Update: As of February 24, SecurityFocus has stopped moderating posts to the Bugtraq mail list without explanation or warning. This is apparently related to Broadcom acquiring Symantec, the owner of SecurityFocus.] This has been a long-recognized and proven thing, but every year we run into more…

  • Missing Perspective on the Closure of the Full-Disclosure Mail List

    [This was originally published on the OSVDB blog.] This morning I woke to the news that the Full-Disclosure mail list was closing its doors. Assuming this is not a hoax (dangerously close to April 1st) and not spoofed mail that somehow got through, there seems to be perspective missing on the importance of this event.…

  • Bogus RFI Reports Getting Out of Hand

    [This was originally published on the OSVDB blog.] I know we’re all getting tired of the Remote File Inclusion (RFI) vulnerabilities being disclosed that end up being debunked, but this one takes the cake so far (yes I’m behind on e-mail). Fri Jun 16 2006http://archives.neohapsis.com/archives/bugtraq/2006-06/0321.html(1) path/action.php, and to files in path/nucleus including (2) media.php, (3)…

  • [product] (script.php) Remote File Include [exploit|vulnerability]

    [This was originally published on the OSVDB blog.] Somewhere out there is a point-and-click web application that allows neophyte “security researchers” (yes, that is a joke) to quickly whip up their very own Bugtraq or Full-Disclosure post. I’m sure others have noticed this as well? More and more of the disclosures have too much in…

  • No Exception for Symantec

    [This was originally published on the OSVDB blog.] Symantec posted a message to Bugtraq earlier this month announcing the availability of a new advisory. The advisory presumably covers a vulnerability or issue in Symantec On-Demand Protection. If you are reading this blog entry a year from now, that is all you may find on it.…

  • PHP-CHECKER

    [This was originally posted to the OSVDB blog.] Yichen Xie and other Stanford researchers posted to bugtraq announcing “99 potential security vulnerabilities”, all SQL injections. Five issues/comments/questions come to mind: 1. This sounds impressive, but even by OSVDB’s level of abstraction (significantly higher than other VDBs), this is far from 99 vulnerabilities. Looking at the…

  • Unresponsive Vendors (and a Bit of Irony)

    [This was originally published on the OSVDB blog.] Late yesterday, Jaime Blasco posted to Bugtraq looking for a security contact at 3com to further attempt to disclose a vulnerability in one of their products responsibly. Such posts are not uncommon these days, and one of the driving forces behind the OSVDB Vendor Dictionary. For vendors…

  • Security Advisories, Mail Lists, and You

    [This was originally published on the OSVDB blog.] When a security researcher finds a vulnerability, they may choose to release the details in a formal advisory. The different between a random post to a mail list and an advisory typically involves the level of detail and the amount of peripheral information to the vulnerability. This…