[VIM] WebAPP Audit

WebAPP webapp at sitespot.us
Thu Mar 22 05:40:34 UTC 2007


Now this is helpful. Thank you George. Also it's good news to hear that you
found the differences and see our patches to be at least somewhat
appropriate.

I understand what you mean about potential hackers figuring out the problem
before the users. Lately the biggest threat has been from advocates of an
opposing group who does not want web-app.org to survive (who incidentally
still do not have their release patched). But still of course there are
others. We were careful with this one and sent out a newsletter security
bulletin to subscribers over a week ahead of time telling of the coming
update. We held back the exact information on the vulnerable area and did
not release a separate patch for the specific issue because it can be so
deadly and because of the typical hesitance of most WebAPP users to upgrade.
Many of them are still running versions from 2003, and you've probably heard
of a few of the security issues we've had to clean up since then.

Having seen the vulnerability now for yourself, what is your opinion on
making a report of it?

As for the Secunia Advisory at http://secunia.com/advisories/24227 , I will
forward to you a copy of what I originally emailed to vuln at secunia.com . I
assumed the Advisory to be a result of my report. Not sure why Secunia's
description is so much
shorter.

*****

Hello,

WebAPP (Web Automated Perl Portal) has recently had a security audit.
Several issues were uncovered, including the following:

Form input validation flaws.
     It was found possible to insert certain characters in order to obtain
unexpected results from form submissions. Data files could be corrupted by
percent encoded or otherwise escaped character insertion. Under certain
conditions, forms could be exploited to allow undesired access to private
files. With expert use, this could be exploited to execute code on the host
server.

Cross Site Scripting vulnerabilities in Drop Downs.
     XSS strings entered in the URL query string could cause javascript
alert execution in the user's browser.

Various Cross Site Scripting vulnerabilities.
     Submission of various forms could cause javascript alert execution in
the user's browser when viewing the form results pages.

Data Corruption by query string manipulation.
     Query strings could be crafted to open files and write with the wrong
data.

File type validation flaws.
     It was possible to inject files of unknown types onto the host server
by manipulating the file name and/or using percent encoding in forms.

Impact:
Cross Site Scripting
Manipulation of data
Exposure of sensitive information
System access

Any real exploits for the above issues are possible for registered site
members only and require authorizaton, thus implying a trust factor, and
they are logged. Most of the cross site scripting issues are client side
only.

There is a new security upgrade release of WebAPP v0.9.9.6 available at
http://www.web-app.org/cgi-bin/index.cgi?action=downloads&cat=curstable , to
deal with all of the above mentioned issues.

Regards,
WebAPP
www.web-app.org

*****

----- Original Message ----- 
From: "George A. Theall" <theall at tenablesecurity.com>
To: "Vulnerability Information Managers" <vim at attrition.org>
Sent: Wednesday, March 21, 2007 5:55 PM
Subject: Re: [VIM] WebAPP Audit


> On 03/21/07 13:03, WebAPP wrote:
>
> > Guys, It's not very helpful to read about how people have found exploits
> > and not be told what they are.
>
> Are you referring to my posting yesterday? If so, perhaps it would help
> if I rephrased... In looking at the code changes between 0.9.9.5 and
> 0.9.9.6, I found two vulnerabilities that had been patched and that
> allowed for arbitrary code execution by an authenticated user. These are
> issues that have already been identified and fixed in 0.9.9.6.
> Understand that this was a review of the *changes* made, not a code
> audit itself.
>
> You asked in an earlier message what we would like to see with regards
> to security information from your project. I'm a bit surprised not to
> have seen at least Jericho rise to the challenge, but personally I'd
> like to see more information. Telling people that there's a serious set
> of flaws in a software package and that they need to upgrade asap might
> seem helpful at first blush, but in today's environment, people need a
> way to prioritize. Give them basic information about the flaws so they
> can understand the risks involved in not reacting right away. Are we
> dealing with a cross-site scripting flaw that can be triggered when an
> admin views application logs? A remote file include flaw that's
> exploitable only if PHP's register_globals is enabled (yeah, I know
> WebAPP uses Perl, not PHP, but I'm talking generally here)? A SQL
> injection in a login page by which an attacker can gain admin access? A
> design flaw by which the shopping cart's sales database is in a
> web-accessible location? A feature that lets users upload arbitrary
> files and then run them as a non-root user? This sort of information
> will go a long way to helping your users assess the risks they face.
>
> P.S. I wouldn't be surprised if telling people they really Really REALLY
> need to upgrade motivates malicious people to discover what's been
> patched more than it convinces others to upgrade their own systems.
>
>
> George
> -- 
> theall at tenablesecurity.com
>



More information about the VIM mailing list