Seventeen disclosures over the last two weeks, with six issues unfixed.
Sorry I wasn’t able to get last week’s list out on time. As I mentioned previously, I was at HighEdWeb all last week and have spent most of the last week trying to catch up from being out so long. Luckily, there weren’t any critical vulnerabilities disclosed last week. I’ve compiled all of last week’s disclosures into the list for this week’s.
Other Security News
The big news, in my opinion, late last week was the announcement of the second release candidate for the OWASP Top Ten 2017. As with the first release candidate, A4-2013 Insecure Direct Object References and A7-2013 Missing Function Level Access Controls were merged into the new A6-2017 Access Control. Removed from the 2013 list are A8-2013 Cross-Site Request Forgery (CSRF) and A10-2013 Unvalidated Redirects and Forwards. When I asked about A8’s removal, the current project lead replied that it was number thirteen in their data set, and exploitable in 4% of pen test results. In our internal audits of systems on campus, CSRF is a consistent, exploitable issue. But then, higher education almost always lags behind the rest of the industry. A3-2013 Cross-Site Scripting has been moved to position seven (A7-2017), and two new entries have been added: A4-2017 XML External Entity (XXE) and A10-2017 Insufficient Logging and Monitoring. I won’t try to explain XXE as this sensepost blog post does a much better job than I could, but I am surprised this issue rose to the level of making it into the top 10. I haven’t seen any XXE issues in our internal scans for some time. A10-2017 Insufficient Logging and Monitoring was named A7-2017 Insufficient Attack Protection in the first Release Candidate and caused quite a bit of drama in the security community, despite Dave Wichers’ excellent job of explaining the intent behind its entry. I’m glad they’ve renamed it to describe the issue more accurately, but it will be interesting to see if it is accepted by the security community.