[VIM] WebAPP Audit

George A. Theall theall at tenablesecurity.com
Tue Mar 20 11:31:08 UTC 2007

On 03/20/07 07:01, security curmudgeon wrote:

> As most of you may have noticed, WebAPP has gone under a fairly heavy 
> audit and the changelog for
> I'm a bit curious who the 'professionals' were that did the audit 
> leading to and the details of the subsequent exploit.

I was looking at this last week. It seems like the WebAPP project has 
forked, with two groups bickering over control. The people maintaining 
webapp.net has been suggesting that the code as maintained by webapp.org 
can be abused to compromise a system.

The maintainer of webapp.org solicited help from members of 
blackcode.com, who I suspect are the "security professionals" refered to 
in the advisory. Follow the fun here:


I haven't had a chance to look into the latest patch, but I did find two 
vectors by which an authenticated attacker could execute arbitrary code 
in version, but that's subject to the privileges of the web 
server user id.

theall at tenablesecurity.com

More information about the VIM mailing list