Tag: OSVDB

  • The value of 0-day…

    [This was originally published on the OSVDB blog.] Another interesting article regarding the value of 0-day vulnerabilities. Rob Lemos relates the stories of a few researchers who sold their 0-day vulnerability/exploit information for big dollars. The twist here, which is news to some, is who purchased it (the .gov) and for how much (as high…

  • Site Specific Vulnerabilities – New Site Tracking XSS

    [This was originally published on the OSVDB blog.] A while back I wrote about VDBs and site specific vulnerabilities. The general consensus is that VDBs should not track site specific vulnerabilities, even though some do for bigger sites that provide services (i.e. Google, Gmail, Yahoo). While OSVDB does not, we recently ran across a site…

  • VDB Searching Headache: Apache

    [This was originally published on the OSVDB blog.] I had the need to search for Apache vulnerabilities today for the pesky day job. One word, one search and four hours later I realized just how bad our Apache entries were. Enter headache #1. Unfortunately, the rest of the VDBs were no better. What did I…

  • Month of Search Engines Bugs (MOSEB)

    [This was originally published on the OSVDB blog.] It was bound to happen, now we get to see a Month of Search Engine Bugs. It would be nice if this effort included some bugs with meat rather than relatively obscure cross-site scripting issues. The time has come for announcement of my new project – Month…

  • Not Local.. Not Remote..

    [This was originally published on the OSVDB blog.] Several of us working on VDBs have debated over the years how best to handle vulnerabilities that aren’t necessarily remote or local. Issues like image or archive handling vulnerabilities, where the program processing a malformed file is prone to an overflow, traversal or denial of service. While…

  • Month of ActiveX Bugs…

    [This was originally published on the OSVDB blog.] Yet another “Month of..” bug campaign. This time, the Month of ActiveX Bugs (MoAxB) will focus on vulnerable ActiveX controls. Do a quick title search for “activex” and you will see a healthy history of vulnerabilities related to ActiveX controls. There is already a debate on the…

  • Anatomy of TWOVB hoax…

    [This was originally published on the OSVDB blog.] In the final days of March, a “week of Vista bugs” was announced. As some suspected, it turned out to be a hoax. For the full story on how it was carried out, check the breakdown from the perpetrators. All in all, not a very impressive hoax…

  • Analogies Keep Failing

    [This was originally published on the OSVDB blog.] One of the most often used, and later debated, analogies used for actions in the security/hacker industry is that of comparing port scanning to walking down a road checking doors and windows to see which are unlocked. This is fundamentally flawed because port scanning looks for open…

  • [update] Month of PHP Bugs

    [This was originally published on the OSVDB blog.] I previously blogged about the Month of PHP Bugs [MOPB], an effort lead by Stefan Esser and the Hardened PHP Project to raise awareness about vulnerabilities in the PHP language. The month has come and passed and of course I have to wonder about a few things.…

  • OS Security, Old Debate, New Info

    [This was originally published on the OSVDB blog.] Check out this article/report by OmniNerd, which tested various operating systems for security. They performed a base line vulnerability scan during installation, after installation and after patches had been applied. Each installation was done to mimick as close to a ‘default install’ by clicking ‘next’ when possible.…