[VIM] WebAPP Audit

George A. Theall theall at tenablesecurity.com
Thu Mar 22 01:55:27 UTC 2007 

On 03/21/07 13:03, WebAPP wrote:

> Guys, It's not very helpful to read about how people have found exploits 
> and not be told what they are. 

Are you referring to my posting yesterday? If so, perhaps it would help 
if I rephrased... In looking at the code changes between 0.9.9.5 and 
0.9.9.6, I found two vulnerabilities that had been patched and that 
allowed for arbitrary code execution by an authenticated user. These are 
issues that have already been identified and fixed in 0.9.9.6. 
Understand that this was a review of the *changes* made, not a code 
audit itself.

You asked in an earlier message what we would like to see with regards 
to security information from your project. I'm a bit surprised not to 
have seen at least Jericho rise to the challenge, but personally I'd 
like to see more information. Telling people that there's a serious set 
of flaws in a software package and that they need to upgrade asap might 
seem helpful at first blush, but in today's environment, people need a 
way to prioritize. Give them basic information about the flaws so they 
can understand the risks involved in not reacting right away. Are we 
dealing with a cross-site scripting flaw that can be triggered when an 
admin views application logs? A remote file include flaw that's 
exploitable only if PHP's register_globals is enabled (yeah, I know 
WebAPP uses Perl, not PHP, but I'm talking generally here)? A SQL 
injection in a login page by which an attacker can gain admin access? A 
design flaw by which the shopping cart's sales database is in a 
web-accessible location? A feature that lets users upload arbitrary 
files and then run them as a non-root user? This sort of information 
will go a long way to helping your users assess the risks they face.

P.S. I wouldn't be surprised if telling people they really Really REALLY 
need to upgrade motivates malicious people to discover what's been 
patched more than it convinces others to upgrade their own systems.


George
-- 
theall at tenablesecurity.com

More information about the VIM mailing list