"Cross-site scripting (XSS) may be the poster child for what's wrong with Web security, but an updated vulnerability report from Mitre suggests that two lesser-known attack vectors are quietly growing as well.
Mitre has quietly released the final version of its 2006 Common Vulnerabilities and Exposures (CVE) report, which it previewed last fall. As the company reported previously, XSS was the number one vulnerability for 2006, usurping SQL injection for the first time.
But there are also a couple of surprises in the updated report. For example, PHP Remote File Inclusion (a.k.a. PHP RFI, or php-include) jumped from a number four ranking to number three for the year. PHP RFI vulnerabilities in 2006 increased 1,000 percent from the previous year, and they now account for 13.1 percent of all reported flaws. This puts PHP RFI just behind the better-known SQL injection (13.6 percent). (See Cross-Site Scripting: Attackers' New Favorite Flaw.)
The updated report also flags cross-site request forgery (CSRF) as a vulnerability to watch, even though it accounts for less than .1 percent of bugs reported. "There is a real disconnect here between what Web app security researchers are finding on the professional auditing side versus what's being publicly recorded in the CVE," says Steven Christey, principal information security engineer for Mitre. "Researchers who publicly disclose [vulnerabilities] just aren't looking for [CSRF bugs]."