for the last few days I've been data mangling vulnerabilities for the Open Source Vulnerability Database
. and I must say, although now I have the hang of it -- at first it was a bit stressing -- simply because you don't want to be the person to really mess up on an advisory post.
on one of the first vulnerabilities I mangled. the discloser sent an email to Full Disclosure with a theoretical vulnerability -- as if he knew the flaw in question could be exploited, but he didn't make mention of specific details.
when I received the vulnerability in my queue, I could tell there were a few problems just by reading the original 'advisory'. so, I researched the bug on my own and found four seperate variables that allowed for XSS injection.
I also found more XSS bugs in other parts of the application, which I didn't add because it had nothing to do with his advisory.
the point is, it's not as easy as it looks. and the people involved in the project are actually pretty cool, and put a lot of time into it. much props to Jericho and the rest of the moderators/data manglers.
so, which was the first vulnerability that popped my cherry? well, here it is: HP-UX envd Unspecified Local Privilege Escalation
I have some advisories coming up this week, so be on the look out!