02.12.07
A firestorm only blows inward
It was a strange weekend as this one man team worked feverishly to douse the flames of security problems. First, from Italy, the disclosure of a directory traversal bug in POW 0.0.7. Strange, since I tested my own code (using Firefox), and many another new server using this fun trick. Better tools are needed to expose this bug.
Just try ‘GET /../../ HTTP/1.0′ and see what happens. Only bad happens. Almost as embarrassing, George from Tenable Security informed me that the wrong page is sometimes delivered to the user. The first bug is fixed in 0.0.9. The second bug fix will come later this week.
This proves the adage of Steve Gibson that only time can prove security, not pronouncements, speculation or even good coding practices.
The good thing is that I built POW with security in mind. SJS files only execute in certain locations. The security holes never worked on password protected sites. I do not eval client data. I accept highly limited input to MySQL.
Others might shy away from disclosure, but really, it’s your software. I’d rather sacrifice numbers of users in exchange for assurance to the users that holes will be fixed quickly. And for speed, I fixed the vulnerability less than 24 hours after it was posted.
Dave