Tag: OSVDB

  • “0-day Can Happen to Anyone”

    [This was originally published on the OSVDB blog.] This time, it happened to the OSVDB blog. Unfortunately, WordPress doesn’t have a very good track record on security. During the migration from the old OSVDB to 2.0, we noticed a problem with the blog and several ‘spam’ posts appearing. We attributed it to one of the…

  • New Classification: Discovered In the Wild

    [This was originally published on the OSVDB blog.] [October 24, 2020 Update: Since creating this flag, VulnDB now has 629 entries flagged as such.] In a recent discussion on the security metrics mailing list, Pete Lindstrom put forth a rough formula to throw out a number of vulnerabilities that have been discovered versus undiscovered. One…

  • The Purpose of Tracking Numbers.. (Sun)

    [This was originally published on the OSVDB blog.] Early in 2006, I posted about HP using multiple identifiers for the same vulnerability. Recently, Sun Microsystems has done a little overhaul to their advisory pages and I noticed that they too now use entirely too many tracking numbers. For example, this Sun advisory has the following:…

  • arfis: Automated Remote File Inclusion Search

    [This was originally published on the OSVDB blog.] Nutshell What you see here is the output of the ”arfis project”, a simple perl script. It automatically downloads and extract PHP projects from sourceforge.net and checks for Remote File Inclusion vulnerabilities. It then post’s the potential (now it’s -potential-, cause the script is in an early…

  • 2007 Top Vulnerable Vendors?

    [This was originally published on the OSVDB blog.] http://www.eweek.com/article2/0,1895,2184206,00.asphttp://www.eweek.com/c/a/Security/Report-MS-Apple-Oracle-Are-Top-Vulnerable-Vendors/ New IBM research shows that five vendors are responsible for 12.6 percent of all disclosed vulnerabilities. Not surprising: In the first half of 2007, Microsoft was the top vendor when it came to publicly disclosed vulnerabilities. Likely surprising to some: Apple got second place. IBM Internet…

  • .de Vulnerability Information Vanishing

    [This was originally published on the OSVDB blog.] Due to a recent German law being passed, Phenoelit and now Stefen Esser’s Month of PHP Bugs has been removed. More information via an article by Robert Lemos.

  • OSVDB Search Tips & Tricks

    [This was originally published on the OSVDB blog.] I should have started a series of these posts long ago. One of the more frustrating parts of most VDBs is the lack of a helpful search function. Searching for some products (SharePoint) is easy enough, as the name is distinct and not likely to find many…

  • This blog is pretty!

    [This was originally published on the OSVDB blog.] Ran across a post on Dancho Danchev’s blog about information visualization. I’ve seen these types of graphical renderings/representations of everything from “the internet” to web sites. In the past they have been part of presentations or been created with tools that weren’t public. Now, Texone is offering…

  • Scrubbing the Source Data

    [This was originally published on the OSVDB blog.] A few months ago, Jeff Jones at CSO Online blogged about “Scrubbing the Source Data”, talking about the challenges of using vulnerability data for analysis. Part 1 examined using the National Vulnerability Database (NVD) showing how you can’t blindly rely on the data from VDBs. In his…

  • Month of Search Engine Bugs (MoSEB) Follow-up

    [This was originally published on the OSVDB blog.] Yes yes, yet another “Month of..” campaign. If you track the mail lists, you may have seen a post about a “Month of [something]” Bugs. Despite little follow-up, this campaign is going strong on the 17th day demonstrating a variety of vulnerabilities in lycos.com, search.myway.com, images.google.com, mamma.com,…