Penetration Testing mailing list archives
Re: CVE Security vulnerability database web site
From: YGN Ethical Hacker Group <lists () yehg net>
Date: Fri, 21 May 2010 13:27:09 +0630
Hi Serkan Thanks for your great effort and time. One suggestion, It's good to see if the site has its own indexing database for our extensive search . Currently the site is not search-engine friendly. Google and a bit of others haven't indexed all pages, which triggers our search no result page. Please use .htaccess mod_rewrite rules for search-engine friendly url. For example, http://securityvulnerability.net/vendor.php?vendor_id=26&vendor=Microsoft Then, it will be http://securityvulnerability.net/vendor/26/Microsoft This can be done in rule like: RewriteRule ^/?vendor/([0-9_]+)/([a-zA-Z_]+)$ vendor.php?vendor_id=$1&vendor=$2 --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd 2010/5/19 Josh <joshmunson () gmail com>:
Very nice. Thank you for your contribution, for this will be a very useful feature for all. 2010/5/14 Serkan Özkan <serkanozkan () gmail com>:Hi again, I added related metasploit modules pages for vendors, products and versions. For example you can view list of metasploit modules related to mac os x, sample here : http://securityvulnerability.net/metasploit-modules.php?product_id=156 I added list of related metasploit modules to the bottom of cve details page, so you can view metasploit modules related to a cve entry easily. I also added a one click nessus plugin search link to cve details page, clicking to the nessus logo at cve details page takes you directly to nessus plugin search results page. That's all for now. These should make things much easier. Regards Serkan Özkan 2010/5/13 Serkan Özkan <serkanozkan () gmail com>:Hi, Adding references to tools may be possible if vendors publish mappings of their plugins to cve numbers. Even if such mappings exist at the moment they are in completely different formats; published at their web sites as a webpage or emailed to subscribers. So it's hard to automatically map those data to cve entries, and cover many tool references. I checked metasploit and nessus plugin/module data. I will add references to metasploit modules in a few days using the cve numbers associated with modules, as listed at http://www.metasploit.com/framework/modules. Nessus plugin data are huge compared to metasploit modules so that's a bit more complicated. First of all I will add a link to cve details page to the plugin search page at Nessus web site, http://www.nessus.org/plugins/index.php?view=search, it's not a big deal but may save you a few seconds. I will see what I can do later. Regards Serkan Özkan 2010/5/12 YGN Ethical Hacker Group <lists () yehg net>:As far as we see, only exploit-db.com and packetstorm have timely exploits. However, these two sites cannot have complete exploit references. A lot of exploits are scattered across forums, individual hacker sites/blogs, group hacker sites/blogs or some are featured as zero-day in presentations in unknown/known hacker/security conferences or informal meetups, also in security companies' research > advisories sections. We've listed some of those sites: http://yehg.net/hwd/?id=c&go=122 [Advisories] http://yehg.net/hwd/?id=c&go=58 [Exploits] Your linking to vulnerability with available exploits is reasonable. But sometimes, those listed exploits might not work/might have backdoors/might not be trusted unless re-tested/re-coded/sanitized. Also, running each exploit for each vulnerability might be a pain or time consuming for pen tester as we usually/always have to pentest in very limited time frame. So, what we wish you is to link vulnerabilities to integrated scanners/exploiters such as - Nessus - Metasploit - Some scanners dedicated to one stuff (e.g., Tool ABC can check all vulnerabilities of Product XYZ ) So, upon seeing a vulnerability, we all can ensure that Nessus/Metasploit/Tool ABC can cover this. This can be achieved by community means or can be done with the aid of intelligent data miner and analyzer. --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- CVE Security vulnerability database web site Serkan Özkan (May 10)
- Re: CVE Security vulnerability database web site Andre Gironda (May 11)
- Re: CVE Security vulnerability database web site Serkan Özkan (May 11)
- Message not available
- Message not available
- Re: CVE Security vulnerability database web site Serkan Özkan (May 18)
- Re: CVE Security vulnerability database web site Josh (May 19)
- Re: CVE Security vulnerability database web site YGN Ethical Hacker Group (May 21)
- Re: CVE Security vulnerability database web site Serkan Özkan (May 11)
- Re: CVE Security vulnerability database web site Andre Gironda (May 11)