PCWorld: Moodle may need to improve vulnerability-handling practices

1279

security

WIRIS

A recent article at PCWorld highlights recent research by internet security firm Rapid7 which highlighted several medium open source applications and a few vulnerabilities which could lead to security concerns. According to the article, “The researcher found an issue that could allow remote-authenticated attackers to execute commands on the underlying operating system in six applications”.

The post-authentication command execution issue is not a vulnerability per se, but it is an exposure with security implications, Kirsch said. The developers assumed that the persons who install their applications also administer the entire servers, which is not always true, especially in shared hosting environments or in organizations where separate teams oversee the infrastructure and applications, he said.

This issue can also be used to bypass strong authentication requirements configured on some operating systems to prevent people from easily gaining root access. If the application running on such a system only requires a username and password for authentication and then allows authenticated command execution on the OS, then the stricter controls are bypassed, Kirsch said.

Rapid7, the research security firm released a set of several recommendations on their blog including just a quick note that not all patches have to be code and could simply be an update to documentation for those administrators to be cognizant of the issue. Read more at both http://www.pcworld.com/article/2059580/opensource-software-projects-need-to-improve-vulnerability-handling-practices-researchers-say.html and https://community.rapid7.com/community/metasploit/blog/2013/10/29/seven-foss-disclosures-part-one