[VIM] r0t on "bugtraqs @ all"

security curmudgeon jericho at attrition.org
Thu Jun 15 16:52:59 EDT 2006


: r0t compares the vuln dbs:
: 
:   http://pridels.blogspot.com/2006/06/bugtraqs-all.html

r0t had been mailing us his new findings until a couple weeks ago. I 
guess it is because we 'were' his favorite per the blog entry. What he 
says about OSVDB:

  Open source vuln. database - thats says something. Great guys they 
  verify all stuff , thats why they come out later than others. They was 
  my favorites , but in my eyes thy lose favorite place , when they 
  started to use words "Exploit is Rumored" by examples. In that point if 
  i give example like http://victim/vuln_app/index.php?cat=[XSS] Thats one 
  isnt a exploit , did i any time published as exploit? Its example for 
  those who like or must to verify. So, thats why it "was" my favorite.

Actually we don't verify every vulnerability. We're a little late in 
making entries because many times what is one secunia entry may be 20 
OSVDB entries (be it 20 files affected by XSS or 20 diff Mozilla 
advisories).

"Exploit is Rumored" is wording to indicate we think an exploit exists, 
but one was not published. In his example above, using [XSS] is taken to 
mean exploit published because 99.5% of the time, anyone can use the XSS 
Cheat Sheet [1] and cut/paste something in that will work. For SQL 
injection, unless a real example is given, we put rumored because so many 
people are familiar with SQL Injection attacks, but each injection is 
different. You can't just slap the same SQL syntax into every one and have 
it work. The criteria we use for 'exploit published' is if the exact 
exploit syntax is published OR if we think any reasonable administrator 
could duplicate the attack. In a few cases, if the XSS is complex and 
requires very specliazed character usage or escaping, and the researcher 
doesn't provide an example, we'll make it 'rumored'.


Brian

[1] http://sec.drorshalev.com/dev/xss/xssTricks.htm  (Which seems to be 
    timing out now. Anyone have a mirror?)


More information about the VIM mailing list