This page contains references to things CGISecurity.com has been involved with.
I co founded the Web Application Security Consortium with Jeremiah Grossman in 2004.
I am the lead moderator for 'The Web Security Mailing List'.
* www.net-security.org/article.php?id=91 This is an article I helped review content for, including making some changes, and suggestions.
* Snort.org's web-attacks.rules I wrote these rules and submitted them to snort.org. They found them to be interesting enough to include them in there 1.8.2 release. These rules are based off of my Paper #3 findings. CREDITS
I found that mod_info gave away way to much information about other apache modules. It seems the apache coders knew this but never decided to document it. Without documentation on the risks people don't pay much attention. After a few emails pushing the risks and a need for this documentation they updated the website page on 8/5/02 to reflect these risks.
"In particular, this module can leak sensitive information from the configuration directives of other Apache modules such as system paths, user names/passwords, database names, etc. Due to the way this module works there is no way to block information from it. Therefore, this module should ONLY be used in a controlled environment and always with caution."
* Documentation 'assistance' with "security tips" document in Apache's manual
I Noticed that apache module addons all write as the same user, and that not all embedded scripting languages (like mod_php etc) have built in wrappers. This means that while you can wrap all CGI and SSI scripts with Suexec, you can't wrap things like mod_php, mod_perl, etc.. This means that any user using these embedded scripting languages are at risk, and could have data modified or removed by an attacker. I originally asked Apache if they would write a Apache wrapper specifically to allow a module to write as a different user then the webserver user. They told me one for 2.x is in the works but that nothing is planned on for 1.3.x. At least the warning below was added to the security tips document so at least users are more aware of this issue. Added to Apache 1.3 CVS on 11/7/02.
"Other sources of dynamic content
Embedded scripting options which run as part of the server itself, such as mod_php, mod_perl, mod_tcl, and mod_python, run under the identity of the server itself (see the User directive), and therefore scripts executed by these engines potentially can access anything the server user can. Some scripting engines may provide restrictions, but it is better to be safe and assume not"
* Contributed to the Web Application Security Consortium's 'Threat Classifications' Document
Download the Threat Classification Document Here
This documentation was created by 18 people including, yours truly.
* Contributed Peer review and knowledge to the Center for Internet Security's Apache benchmark project CIS Level 1 & 2 BenchMark and scoring tool for apache