<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1555" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Hi,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I came upon this email posted about our recent
security issues with WebAPP. </FONT><FONT face=Arial size=2>I am more than
willing to communicate directly with anyone with an interest in the security
issues we have been recently addressing at the WebAPP project at
web-app.org.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>As you have noticed, we have been releasing several
new releases lately. This is being done in an attempt to keep up with actual and
threatened attacks against web-app.org members and their websites done
by the group operating another "WebAPP" site at web-app.net since late
May last year.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>WebAPP 0.9.9.5 was released as a bug fix package
with some patches for some relatively minor client side XSS issues found near
time of release by a member of blackcode.org. The request for help at blackcode
was made by me in response to some news articles posted at DIGG by "Monty53"
where he claimed our script had a major hole that allowed command execution on
the server. Following that release, we continued to work on security.
WebAPP 0.9.9.6 was a much more major overall upgrade including a patch for
an issue so serious that I fear for the time the details of it may become
publicly available. This vulnerability was found by another professional who
wishes to remain anonymous for the sake of his career, again due to the threat
of retaliatory attacks by web-app.net.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The most recent cookies attack by "Monty53 of
Turkey" to overtake the admin account at web-app.org was relatively
trivial in comparison to the vulnerability mentioned above. I am convinced
that this cookies problem has been a longstanding issue. The patch we released
most recently should help prevent the method that was used in the case of
the hack attack on the WebAPP site, but there are likely to be other ways and
other things that have not yet been dealt with completely. We continue working
at this time and have yet another release planned to be made public quite soon,
with yet more security work. Apparently On Elpeleg, our former Security Chief,
overlooked some things during his supervision of security for the WebAPP project
through May 2006 at web-app.org. Now Mr. Elpeleg has been demonstrating
his realization of many of these long term security issues following
his move to web-app.net, using web-app.org's membership and forums
database, and where "WebAPP" version 0.9.9.3.4 is being released in a slightly
modified form as "0.9.9.7". I must assert that our upgrades at web-app.org
include a whole lot more work, security and otherwise.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>So that's pretty much where we stand.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Since you seem to have taken an interest in this,
please advise as to what, given the current circumstances, and with
minimization of risk to users, you would like to see from the WebAPP
project in the future regarding more complete security information.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Thank you,</FONT></DIV>
<DIV><FONT face=Arial size=2>Jos Brown</FONT></DIV>
<DIV><FONT face=Arial size=2>web-app.org</FONT></DIV></BODY></HTML>