[Owasp-topten] RFI taken out

Steven M. Christey coley at linus.mitre.org
Tue Nov 17 19:22:20 EST 2009


On Tue, 17 Nov 2009, Dave Wichers wrote:

> we are trying to get a sense of how big this problem is across all users
> of the top 10. Based on the data we saw from MITRE, Aspect, White Hat,
> and Softek, the frequency of this issue had dropped significantly since
> 2006/2007, and for non-PHP developers this is a relatively rare issue.

Based on my interpretation of the CVE data, RFI has dropped (relatively
speaking), suggesting that the pool of obviously-vulnerable applications
is dropping, or there is a higher cost-benefit ratio for launching a
successful attack.  I'm seeing more CVEs that target code snippets like
this one from CVE-2009-3064:

  require("./../".$_GET["filename"]);

This is more LFI than RFI.

Also - in modern PHPs, allow_url_fopen is disabled, which in conjunction
with restrictive register_globals settings, suggests that much of the
remaining RFI problem is related to configuration.  (Though admittedly,
some modern PHP oddities are still equivalent to RFI, and admins are often
stuck using older PHP versions.)

Note that RFI/LFI is occasionally reported in CVE for other languages such
as ColdFusion, Python, Ruby, and other interpreted languages.  But that's
extremely rare.  (Could be that the researchers aren't paying attention in
this area, though.)

Disclaimer: CVE data is necessarily affected by what vuln researchers
decide to publish, so it reflects their own biases.  And as Dave said, CVE
isn't the only data source for the Top Ten.

- Steve


More information about the Owasp-topten mailing list