[Owasp-topten] RC1 comments

Paweł Krawczyk pawel.krawczyk at hush.com
Sun Feb 17 18:51:43 UTC 2013


Well LFI, yes, but LFI has such low impact (though there are many ways
to convert it to RFI) that nobody cares.

If LFI/RFI has such low impact, how come they account for almost 40%
defacements (Dec 2012-Feb 2013):  File Inclusion 36.884%

Anything that allows you to execute your code on the server will be
high impact in most cases. Example (1 million sites hacked, today Bing
still shows 460k results):
http://blog.sucuri.net/2011/10/timthumb-php-mass-infection-aftermath-part-i.html
Comment from Imperva on the same topic of LFI/RFI which I fully agree
with:
http://blog.imperva.com/2011/12/why-rfi-gets-no-respect.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-topten/attachments/20130217/cb399f06/attachment.html>


More information about the Owasp-topten mailing list