"Cross-site scripting (XSS)
may be the poster child for what’s wrong with Web security, but an
updated vulnerability report from Mitre suggests that two lesser-known
attack vectors are quietly growing as well.
Mitre has quietly released the final version of its 2006
Common Vulnerabilities and Exposures (CVE) report, which it previewed
last fall. As the company reported previously, XSS was the number one
vulnerability for 2006, usurping SQL injection for the first time.
But there are also a couple of surprises in the updated
report. For example, PHP Remote File Inclusion (a.k.a. PHP RFI, or
php-include) jumped from a number four ranking to number three for the
year. PHP RFI vulnerabilities in 2006 increased 1,000 percent from the
previous year, and they now account for 13.1 percent of all reported
flaws. This puts PHP RFI just behind the better-known SQL injection
(13.6 percent). (See Cross-Site Scripting: Attackers’ New Favorite
Flaw.)
The updated report also flags cross-site request forgery (CSRF)
as a vulnerability to watch, even though it accounts for less than .1
percent of bugs reported. "There is a real disconnect here between what
Web app security researchers are finding on the professional auditing
side versus what’s being publicly recorded in the CVE," says Steven
Christey, principal information security engineer for Mitre.
"Researchers who publicly disclose [vulnerabilities] just aren’t
looking for [CSRF bugs]."
Article Link: http://www.darkreading.com/document.asp?doc_id=125321&WT.svl=news2_1