Web Application Security Threats

Posted by Justin on February 26, 2007
Open Source Projects, Websites

The Honey Pot project released a technical white paper that every web application developer and wannabe web coder should read. It gives away many details on packages that have problems as well as what the vulnerabilities are as well as why the vulnerability is executed. Topics covered are Remote Code Inclusion, SQL Injection, and Cross Site Scripting (XSS).

What’s also surprising (but makes sense if you think about it), in the 2006 SANS survey, SANS included web applications as the number one cross platform attack target. Then again, with as many people writing code and not thinking about security, I can see why this has happened. That and people are generally not smart enough to look through code before slapping it on their web server (note: a long time ago, in a galaxy far far away, I did this too…). I’ve downloaded several packages only to delete them just from looking at the code.

The following packages are talked about in detail:

  • PHP XMLRPC Code injection vulnerability - because this is a library it is very hard to estimate the number of installations.
  • Mambo remote code-inclusion, around 1,300,000 publicly accessible installations.
  • AWStats configdir command injection, around 170,000 publicly accessible installations. (However, access to AWStats is usually restricted so that only the site admins can view the visitor statistics.)
  • PHPBB admin_styles remote code-inclusion, around 1,500,000 publicly accessible installations.
  • PHPBB viewtopic code injection, (the flaw that Santy exploited), around 1,500,000 publicly accessible.
  • WebCalendar includedir remote code-inclusion, around 230,000 publicly accessible installations.
  • Coppermine Photo Gallery remote code-inclusion, around 430,000 publicly accessible installations. (In this case the exploit was against the third item in the reference, a problem with theme.php and THEME_DIR.)
  • Zeroboard remote code-inclusion problem, very hard to estimate number of installations.
  • PHPNuke SQL injection in querylang parameter, very hard to estimate number of installations.

What surprises me is that WordPress is not on the list. With all the reporting that WordPress does in the code (if you didn’t know this: meta name=generator content=WordPress 2.0.9 !– leave this for stats — - that’s in the publicly viewable code of nearly every WordPress template - front end or back end.) With the reporting code WP generates, it would allow an attacker to specifically focus on a specific vulnerability.

Anyway, enough of me talking, check out the full report.