Difference between revisions of "Talk:Top 10 2007"

From OWASP
Jump to: navigation, search
(Should we have an editable .DOC file on a WIKI page with all the known vulnerabilities in the format?)
 
Line 4: Line 4:
  
 
It would be especially embarrassing if all of us security wizards got ourselves infected with a nasty virus or something because of this...
 
It would be especially embarrassing if all of us security wizards got ourselves infected with a nasty virus or something because of this...
 +
 +
The idea that you're concerned with the .doc file format, but not the fact that you have 0 security/oversight in place WRT who becomes a contributer/editor of the content is what's most alarming to me. My primary concern however, and the reason that I'm posting this, is the fact that the list of items in the "Top 10" doesn't seem to follow any standardized format as far as criterion is concerned. Number 4 and Number 10 describe the exact same security flaw, and they should be combined to be #1, considering that since each flaw amounts to the same essential level of vulnerability the only way to reasonably order or rank them would be by how common they are. Number 7, 8, and 9 are also all basically the same issue, and again should be higher on the list of vulnerabilities, considering they're probably the second or third most common issue.
 +
 +
One issue I do not see mentioned, that relates directly to items 4 and 10, is internal permissions/ownership of files/processes. If the Apache and or Tomcat user owns all of the files, or god forbid has root access, anyone connected to the site has full permissions to any and all directories/files available under the site's home directory. And can even effect the system outside of the site's directory

Revision as of 18:18, 19 June 2007

Does it make sense to be distributing an editable .DOC file? I believe there are currently 5 zero-day vulnerabilities in .DOC files to which MS has provided no patch. Leaving a .doc file on a WIKI page where anyone can edit it just seems dangerous to me.

Can we convert it to .RTF? I believe there are currently no known threats in that format and it is nearly as rich as .DOC.

It would be especially embarrassing if all of us security wizards got ourselves infected with a nasty virus or something because of this...

The idea that you're concerned with the .doc file format, but not the fact that you have 0 security/oversight in place WRT who becomes a contributer/editor of the content is what's most alarming to me. My primary concern however, and the reason that I'm posting this, is the fact that the list of items in the "Top 10" doesn't seem to follow any standardized format as far as criterion is concerned. Number 4 and Number 10 describe the exact same security flaw, and they should be combined to be #1, considering that since each flaw amounts to the same essential level of vulnerability the only way to reasonably order or rank them would be by how common they are. Number 7, 8, and 9 are also all basically the same issue, and again should be higher on the list of vulnerabilities, considering they're probably the second or third most common issue.

One issue I do not see mentioned, that relates directly to items 4 and 10, is internal permissions/ownership of files/processes. If the Apache and or Tomcat user owns all of the files, or god forbid has root access, anyone connected to the site has full permissions to any and all directories/files available under the site's home directory. And can even effect the system outside of the site's directory