[VIM] WebAPP Audit

info at web-app.net info at web-app.net
Sat Mar 24 23:39:50 UTC 2007


I was searching in google on my name “On Elpeleg” and was shocked to find
this personal attack by Ms. Jos Brown from bantychick.com

Claiming that I had left her site and started my own site.  It is Ms. Jos
Brown whom happened to be a former developer and a team member of the
original WebAPP group at http://www.web-app.net and started her spin-off
site after she bought the domain several months ago and not the other way.

Please read this email that was just sent to Secunia concerning that. Ms.
Jos has been posting several other posts around trying to trash me
personally and the WebAPP team. Please disregard her posts.

Thank you
On Elpeleg


Incorrect/incomplete information concerning security issue
Dear Sirs,

In your article you are recommending your customers to update to WebAPP
versions 0995 and/or 0996 from web-app.org, while it is only these two
spin-off versions provided by the vendor at web-app.org which are really
insecure. This information unfortunately creates a great confusion for the
customers of the original script from http://www.web-app.net it would also
be important to note that several WebAPP sites using these "patches" have
recently been defaced.

1.) WebAPP original developers team (since 2002) has moved to
http://www.web-app.net over a  year ago and developed the current versions
provided both by http://www.web-app.org (spin-off of that version) and
http://www.web-app.net however, one developer decided to leave the team
(or was rather expelled from the team) and bought the old domain name
www.web-app.org 2-3 months ago. Since then she was trying very hard to
convince everyone that her site still provides the original script and
support by its original team which is not correct.

A lookup at whois history of site changes will provide you proofs of
owners change in web-app.org

Please also see this article:
http://www.web-app.net/cgi-bin/index.cgi?action=viewnews&id=6 (Jos Brown
is the new owner of the spin-off site at www.web-app.org ).

2.) All versions released by web-app.org since the above mentioned
developer left the team are insecure, while NONE of the other versions
ever released by the original WebAPP team ( http://www.web-app.net ) have
this critical back door that allows users to steal admin/root access to
this server via this back door.

Please see this test by Monty53 (a white hat hacker from Turkey):

You may contact him for more information at monty53 at gmail.com He says that
he managed to deface all versions mentioned in your articles

as "secure" while failing to do so in any of the original versions
provided by http://www.web-app.net

3.) You define the issue as: "Moderately critical" while in fact it is a
severe critical issue, this is because any user out there can access the
admin control panel and thereby edit/delete/add paths, using the script as
a server and acting as a root on that server. I am not sure you are aware
of that, but this indicates of a severe critical security issue.

Should you require more information kindly contact me at on at web-app.net or
call me at 0047 90151475.

Kind regards

On Elpeleg
WebAPP security team

Copy: WebAPP Security team members

More information about the VIM mailing list