[VIM] WebAPP Audit

WebAPP webapp at sitespot.us
Tue Mar 20 14:18:34 UTC 2007 

Hi,

I came upon this email posted about our recent security issues with WebAPP. I am more than willing to communicate directly with anyone with an interest in the security issues we have been recently addressing at the WebAPP project at web-app.org.

As you have noticed, we have been releasing several new releases lately. This is being done in an attempt to keep up with actual and threatened attacks against web-app.org members and their websites done by the group operating another "WebAPP" site at web-app.net since late May last year.

WebAPP 0.9.9.5 was released as a bug fix package with some patches for some relatively minor client side XSS issues found near time of release by a member of blackcode.org. The request for help at blackcode was made by me in response to some news articles posted at DIGG by "Monty53" where he claimed our script had a major hole that allowed command execution on the server. Following that release, we continued to work on security. WebAPP 0.9.9.6 was a much more major overall upgrade including a patch for an issue so serious that I fear for the time the details of it may become publicly available. This vulnerability was found by another professional who wishes to remain anonymous for the sake of his career, again due to the threat of retaliatory attacks by web-app.net.

The most recent cookies attack by "Monty53 of Turkey" to overtake the admin account at web-app.org was relatively trivial in comparison to the vulnerability mentioned above. I am convinced that this cookies problem has been a longstanding issue. The patch we released most recently should help prevent the method that was used in the case of the hack attack on the WebAPP site, but there are likely to be other ways and other things that have not yet been dealt with completely. We continue working at this time and have yet another release planned to be made public quite soon, with yet more security work. Apparently On Elpeleg, our former Security Chief, overlooked some things during his supervision of security for the WebAPP project through May 2006 at web-app.org. Now Mr. Elpeleg has been demonstrating his realization of many of these long term security issues following his move to web-app.net, using web-app.org's membership and forums database, and where "WebAPP" version 0.9.9.3.4 is being released in a slightly modified form as "0.9.9.7". I must assert that our upgrades at web-app.org include a whole lot more work, security and otherwise.

So that's pretty much where we stand.

Since you seem to have taken an interest in this, please advise as to what, given the current circumstances, and with minimization of risk to users, you would like to see from the WebAPP project in the future regarding more complete security information.

Thank you,
Jos Brown
web-app.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.attrition.org/pipermail/vim/attachments/20070320/6b949099/attachment.html

More information about the VIM mailing list