Posts RSS Comments RSS 62 Posts and 42 Comments till now

Tracking down vulnerable web apps on a hosting service

Looks like one of the worst things that can happen to a web app project has happened to wordpress - one of their releases was compromised by a “cracker”

http://wordpress.org/development/2007/03/upgrade-212/

I was in the “at risk” group of recent installs so have upgraded as soon as I saw the news post. The difficulty for server admins of tracking down vulnerable web apps installed on their service is worth a bit of further examination.

For web hosts, tracking down vulnerable web apps can be a major problem. A good percentage of users just don’t understand that once running, their “off the shelf” or open source apps may need regular updates.

There is no one standard I’m aware of by which you can locate a vulnerable version of a CMS or blog software because the structures and design vary so wildly. Some problems you can run into when wanting to locate vulnerable installations are;

  • Some include version numbers in each of the code files, some don’t.
  • There is no guarantee that where there is a global changelog or version file for the app that all of the files in the installation have been updated to this version.
  • Those who heavily modify their CMS installations may have to be very careful when applying updates and can be even more reticent to do so. The more heavily modified an install is the more difficult and time consuming it is at a glance to identify what fixes it has in place.
  • Searching for the vulnerable code is sometimes necessary. This can be difficult because vulnerable code may only be vulnerable in certain specific situations.

Tracking down vulnerable wordpress for this particular instance wouldn’t be too bad - as you can just check the file modification / creation date on the affected files in wp-includes. This can indeed be the quickest and crudest way of identifying vulnerable installs, if it hasn’t been modified for a couple of years (or even six months with some CMSs) it is a reasonably safe bet its’ going to be vulnerable.

I’m not aware of any framework for checking for vulnerable web apps - yes metasploit and nessus can help you check a specific site or server for various vulnerabilities but as a host you’re just looking to track down all the installs on your server with published security vulnerabilities that should have been patched by the user and require further action to ensure security.

The difficulty is that such a tool would have to address all the problems listed above. I’d love to know if such a tool / database is in development anywhere.

N.B The above isn’t to suggest that the risks of vulnerable web app installs can’t be mitigated by good server security. But identifying and removing installs that allow remote code execution etc is another task that can reduce the risk of a “passing” attack hitting your machines.

If you feel like sharing this article, please do so below:
  • del.icio.us
  • Fark
  • NewsVine
  • Facebook
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Digg

Rowan :: Mar.03.2007 :: Security, Web Apps, Web Hosting :: No Comments »

Trackback this post | Feed on Comments to this post

Leave a Reply