OSVDB Search Tips & Tricks
Posted by jericho
I should have started a series of these posts long ago. One of the more frustrating parts of most VDBs is the lack of a helpful search function. Searching for some products (SharePoint) is easy enough, as the name is distinct and not likely to find many matches. If you happen to know the script affected (logout.php), that too can make the search fast and painless. However, what if you want to list all vulnerabilities in PHP?
CVE: searching for “php.net” yields 0 matches, while searching for “php” gets 2896 BID: search by vendor, PHP ISS: advanced search, “php.net” will find most, but also include non PHP vulnerabilities SecurityTracker: search “php.net” will find some, but a world of additional threads/advisories Secunia: search “php.net”, pick a PHP vulnerability, click the software link, click vendor link, click the 6 links below corresponding to the major versions
If OSVDB had a complete data set, you could search fairly easily off the vendor name due to our vendor dictionary and listing associated products. Until then, one tip is to search references for “php.net” to pull up a list of all PHP native vulnerabilities. This won’t work for most vendors, but for the bigger vendors we’re trying to standardize our entries and references to facilitate easier searches.
If you know the specific GUID (3d742890-397c-11cf-9bf1-00805f88cb72) related to an advisory, or some other odd number or unique identifier, try searching the reference for it. This also goes for advisory identification numbers. Again, the data set is far from complete but we’re trying!
Many years ago I opened a ticket to create a new feature that allowed one to search for vulnerabilities by associated port. Curious what vulnerabilities are related to TCP port 1234 or UDP port 5432? No problem! Until we can get more developers on board and knock out some of these projects, search reference for “tcp port 1234” or “udp port 5432”.
Hopefully, more search tips to come.
to your last point, vulns by TCP/IP service, ATLAS does that (http://atlas.arbor.net/). it was a need i’ve had for years, and we keep a reasonably updated list.
i’m surprised more people don’t do that, it’s very valuable. but the fact that so few people do it makes any implementation even more valuable.
Just fyi, CVE has an ancient, custom-developed search routine that normalizes or auto-corrects similar keywords, plus it treats “.” and others as if they are alphanumeric, which helps with searching for version numbers like 1.2.3 or script names like printenv.pl, or when someone says “buffer overrun” instead of “buffer overflow.” The routine is very useful for CVE research itself, and it was critical in the early days when we were creating CVEs from large sources, but admittedly they are not great for a general consumer.