[Owasp-topten] RFI taken out

Dave Wichers dave.wichers at aspectsecurity.com
Tue Nov 17 19:28:45 EST 2009

I'm OK with sneaking PHP RFI back in to the Top 10 as a configuration
item that is now covered under A6 - Security Misconfiguration.

I don't know if that is a stretch but it at least is a place to hang
your hat. :-)


-----Original Message-----
From: Steven M. Christey [mailto:coley at linus.mitre.org] 
Sent: Tuesday, November 17, 2009 7:22 PM
To: Ty Miller; Dave Wichers
Cc: owasp-topten at lists.owasp.org
Subject: Re: [Owasp-topten] RFI taken out

On Tue, 17 Nov 2009, Dave Wichers wrote:

> we are trying to get a sense of how big this problem is across all
> of the top 10. Based on the data we saw from MITRE, Aspect, White Hat,
> and Softek, the frequency of this issue had dropped significantly
> 2006/2007, and for non-PHP developers this is a relatively rare issue.

Based on my interpretation of the CVE data, RFI has dropped (relatively
speaking), suggesting that the pool of obviously-vulnerable applications
is dropping, or there is a higher cost-benefit ratio for launching a
successful attack.  I'm seeing more CVEs that target code snippets like
this one from CVE-2009-3064:


This is more LFI than RFI.

Also - in modern PHPs, allow_url_fopen is disabled, which in conjunction
with restrictive register_globals settings, suggests that much of the
remaining RFI problem is related to configuration.  (Though admittedly,
some modern PHP oddities are still equivalent to RFI, and admins are
stuck using older PHP versions.)

Note that RFI/LFI is occasionally reported in CVE for other languages
as ColdFusion, Python, Ruby, and other interpreted languages.  But
extremely rare.  (Could be that the researchers aren't paying attention
this area, though.)

Disclaimer: CVE data is necessarily affected by what vuln researchers
decide to publish, so it reflects their own biases.  And as Dave said,
isn't the only data source for the Top Ten.

- Steve

More information about the Owasp-topten mailing list