« USPS via RSS Fedex via RSS »
How NOT to Write Security Advisories
Posted January 26, 2005 – 2:06 pm by Yakov Shafranovich in TechnologyWhile reading this week’s US-CERT Cyber Security Bulletin # SB05-026, I came across a rather scaryvulnerability in gForge, a popular project management system (a fork of SourceForge):
A Directory Traversal vulnerability exists due to insufficient sanitization of the ‘dir’ parameter in ‘controller.php’ and the ‘dire_name’ parameter in ‘controlleroo.php,’ which could let a remote malicious user obtain sensitive information.
I looked up the advisory on Google (”STG Security Advisory: [SSA-20050120-24] GForge 3.x directory traversal
vulnerability”) and tried executing it on a gForge installation that I administer. Suprinsgly it didn’t work. After some digging, I figured out myself that in order to trigger this one must have a valid user account for gForge AND the CVS module for the project in question MUST BE enabled. In my case, both were false. HOWEVER, the security advisory AND the CERT bulletin both failed to mention these two crucial facts which would mitigate the vulnerability significantly.
The moral of the story: lets learn to write security advisories better and stop scaring people.
Tags: security —
Permalink | Trackback URL | This post has
Sorry, comments for this entry are closed at this time.