[VIM] r0t on "bugtraqs @ all"

Steven M. Christey coley at linus.mitre.org
Mon Jun 19 02:29:14 EDT 2006 

On Thu, 15 Jun 2006, security curmudgeon wrote:

> Actually we don't verify every vulnerability. We're a little late in
> making entries because many times what is one secunia entry may be 20
> OSVDB entries (be it 20 files affected by XSS or 20 diff Mozilla
> advisories).

Just out of curiosity - in retrospect, do you think that
"split-by-executable" has worked well for OSVDB?  It's a clear rule and
easily understood, which is a big win.

> "Exploit is Rumored" is wording to indicate we think an exploit exists,
> but one was not published. In his example above, using [XSS] is taken to
> mean exploit published because 99.5% of the time, anyone can use the XSS
> Cheat Sheet [1] and cut/paste something in that will work. For SQL
> injection, unless a real example is given, we put rumored because so many
> people are familiar with SQL Injection attacks, but each injection is
> different.

At this point, with so many "forced SQL error" issues that aren't really
injection, this seems like a safe bet.

> You can't just slap the same SQL syntax into every one and have
> it work. The criteria we use for 'exploit published' is if the exact
> exploit syntax is published OR if we think any reasonable administrator
> could duplicate the attack. In a few cases, if the XSS is complex and
> requires very specliazed character usage or escaping, and the researcher
> doesn't provide an example, we'll make it 'rumored'.

Personally, if the researcher has enough clue to note that there are some
special conditions that prevent this from being garden variety XSS, it's
slightly more authoritative than "exploit is rumored."  To take it to an
extreme - EVERYTHING David Litchfield posts could technically be called
"exploit is rumored" due to the NGS disclosure policy for delayed details,
but I'd give his claims more weight than, say, the latest fly-by-night
researcher.  That said, since CVE's main objective measure of veracity is
provable vendor acknowledgement, we don't deal with these questions on a
regular basis.

> [1] http://sec.drorshalev.com/dev/xss/xssTricks.htm  (Which seems to be
>     timing out now. Anyone have a mirror?)

I use ha.ckers.org/xss.html

- Steve

More information about the VIM mailing list