by r0t,der4444,cembo,VietMafia

Friday, June 09, 2006

bugtraqs @ all

Hi guys , as in last 6mothes i had reported about some bugs in webaplications, i think that i can tell something about bugtraqs at all.
Some critic of course..

Lets start with secunia.com
Security research company wich is orginally located in Denmark , those guys do alot of job , they do alot in they personal research..they try to verifyall reported vulns, ok sometimes they verification isnt so sucefull as some attacker exploitation of bug, but dont forget that they try to verify all , so thats point bring them to best form all.


As next one i wanna view osvdb.org
Open source vuln. database - thats says something. Great guys they verify all stuff , thats why they come out later than others.
They was my favorites , but in my eyes thy lose favorite place , when they started to use words "Exploit is Rumored" by examples.
In that point if i give example like http://victim/vuln_app/index.php?cat=[XSS]
Thats one isnt a exploit , did i any time published as exploit?
Its example for those who like or must to verify.
So, thats why it "was" my favorite.


So one of most popular for years is securityfocus.com

They are good enough, i never send them one of my reports.. oh..yes once it was as bugtraq for some site apliction , yahoo or other one.
I was laughing , when i saw credits like discovered by "rakstija r0t3d3vil" ... "rakstija"- is latvian word - wrote .
In start of my repport is always wroten wich guy had discovered that, but thats only mean that guys ned better glases as i have.
Why i didnt report to them?
Simple answer - where to report?
If i cant find with 2 clicks i dont have any interess more to report them.

Next one will be frsirt.com

Nice guys , but they dont verify by them selfs , but wait for secunia guys.
I think thats tell everything.

next one is security.nnov.ru

Nice russian guys, they are more buglist as bugtraq , cauz they dont verify anything .
But good point of them , they are fastest updated "bugtraq" on earth.

and nvd.nist.gov

National vulnerability database, thats says nothin..but domain wich ends with ".gov" say alone something. They risk rate isnt better as by SANS.I dont think that they have alot of reports from guys who discover vulns. , but they are good with collecting them even they are from .gov


and ofcourse xforce.iss.net

I will say its black horse in that chalange.
I never send them report of my work , but they are always know everything.
Maybe they are located as outhsider in by da best ones, but they do good job.


yes and milw0rm.com

str0ke do a good job at all, site is specific cauz mostly is based on exploits and reports are mostly only with exploits, thats not bad at all.

yes and the popular russian source securitylab.ru

They dont verify and remove links to orinal advisory , thats point why i dont like to report to them .. But thats not only them , mostly all russian security resources remove advisory authors and orginaly sources... but in thats i n best way , sometimes they like to give credits to them selfs.. So the worth security or bugtraq scene in world is russian.
Other one russian wich i know is hackzona.ru, they only translate random advisories from secunia and thats all , and there isnt point like "when" or "who"... who cares?
other one is xakep.ru - they have own sucessful jurnal and other things for n00bs.
most of butraq'ed things they published as own.


secwatch.org ....

They collect infos from bigest bugtraqs and have they own bugtraq list wich isnt also verified.

netsecurity.com

copy/paste - thats say evrything.


hackerscenter.com

Not a bugtraq, but portal wich have bugtraq , of course they dont verify , but its more better than russian of point cauz they dont forget about that guys wich discovered that stuff wich they published.


So i think i had wrote about most popular bugtraqs , if i missed some , than sorry ...

2 Comments:

Anonymous Anonymous told...

http://attrition.org/pipermail/vim/2006-June/000871.html

Explanation of why OSVDB does it that way. =)

11:00 PM

 
Blogger r0t told...

OK. you are right Brian, about your tactic , that each file for OSVDB counts as separate advisorie.
Its brings more detailed view , but its also takes more time.
Anyway you are doing good job!

12:09 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew