Open source developers clueless about security disclosure, Rapid7 finds

Names vulnerable SourceForge web apps

Open source developers can be just as clueless at handling third-party security disclosures affecting their products as the often-criticised closed source sector, a researcher for security firm Rapid7 has discovered after spotting exploitable issues in a clutch of popular web apps hosted on SourceForge.

Ironically, the easiest part of engineer Brandon Perry's security research appears to have been finding vulnerabilities in seven applications with a lifetime download count of 16 million. These ranged from an educational tool called Moodle (4.7 million downloads), a CRM tool called vTiger (3.6 million downloads) to relative minnows such as the OpenMediaVault (703,000) and NAS4Free home storage software.

Most of the issues related to problems in the design of applications (i.e. intended functions misused) while one - that found in Openbravo ERP - was a conventional software flaw.

Perry and Rapid7 admit two points about these applications; none is in the league of an Apache or a Wordpress and many of the installs might not in use any longer. But if even a few percent remain live that would still equivalent to hundreds of thousands of vulnerable targets.

Conventionally, some of the flaws might also be described as 'hacks' rather than flaws but to the pen-tester that makes no odds; if an attacker can misuse a function whose limitations are not adequately documented then it is a hole that gives attackers a way in.

Only three of the seven were patched during Rapid7's disclosure period.

The story should end with the news that Rapid7 has released modules that hit each issue for Metasploit, but the more interesting issue turned out to be the difficulties Perry's Rapid7 colleague Tod Beardsley (who handled disclosure) had in simply communicating with the projects themselves prior to going public.

"Despite this level of apparent popularity, though, the actual business of disclosing vulnerabilities to the software developers directly was... circuitous. Across these seven projects, I found there were at least seven different approaches to handling incoming vulnerability reports," said Beardsley in his blog.

Incredibly, during the disclosure period one of the projects had asked for a password-protected zip file containing the details while another "filed the issue on a public bug tracker which promptly e-mailed it back in cleartext," said Beardsley.

It was as if none of these FOSS (free and open source software) developers had even thought about having a structured disclosure policy because the applications had been built on their features alone. Security was for security applications.

"In the security space the awareness is much higher. If it's in another space their focus is different," Rapid7's product marketing manager Christian Kirsch told Techworld at this week's RSA Show in Amsterdam.

"There was a lot of education that we had to do along the way. They didn't seem to have a high level of security awareness," he said.

The team's advice to FOSS developers was to start by having a signed PGP key that authenticated the contact email address for third parties to communicate flaws. From that point onwards, all communications should use encryption and acknowledge receipt. Developers should make this whole process as easy to find and understand as possible.

Vulnerabilities that involved feature exploitation should be documented and communicated to the end users, many or all of whom will not be plugged into the CERTs and Bugtraqs used by developers.

Last but not least, the users of SourceForge should not blindly assume that open source applications are any more secure or any easier to secure when flaws are found. As with proprietary developers there seems to be good and bad, complacent and attentive.

Rapid7 details its disclosure policy on its website.

Tags: applications, security, Rapid7, Wordpress, software

JP Morgan to invest £150 million on boosting cyber security

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Open Space Security Suite

Kaspersky Open Space Security provides complete business protection in a single integrated suite of applications that work seamlessly across all platforms.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.