October 30, 2013, 1:18 PM — Many open-source software developers need to improve the way in which they handle vulnerability reports, according to researchers from security firm Rapid7, who recently found and reported vulnerabilities in seven popular open-source software applications.
There's a line of thought among some users that open-source software is more secure than commercial software because there are more people looking at the source code and providing feedback or because open-source projects can patch issues faster.
Rapid7 worked with Brandon Perry, an application security engineer and regular contributor to the Metasploit penetration testing framework, to test that theory, said Christian Kirsch, product marketing manager at Rapid7, in an interview Wednesday at the RSA Europe security conference in Amsterdam.
At the beginning of August, Perry selected seven of the most popular open-source Web applications hosted on SourceForge.net and started looking for vulnerabilities in them. Within two weeks he found security flaws in all of them, Kirsch said.
The researcher found an issue that could allow remote authenticated attackers to execute commands on the underlying operating system in six applications: Moodle, a Web-based learning/course management system that has been downloaded over 4.7 million times from SourceForge; vTiger, a Web-based customer relationship management system with over 3.6 million downloads; Zabbiz, a software product for monitoring network and application performance in enterprises with almost 3 million downloads; ISPConfig, a Web hosting control panel for Linux servers with 1.5 million downloads; OpenMediaVault, an OS distribution based on Debian Linux for network-attached storage servers with over 700,000 downloads; and NAS4Free, a network-attached storage server OS based on FreeBSD with over 600,000 downloads.
Perry also found an XXE (XML eXternal Entity) vulnerability in Openbravo ERP, an open-source enterprise resource planning (ERP) product with 2.1 million downloads on SourceForge, that could allow an attacker to read arbitrary files from the file system with the permissions of the user running the application.
The researcher and Rapid7 then alerted the developers and worked with the Computer Emergency Response Team Coordination Center (CERT/CC) to coordinate the disclosures. They also developed Metasploit exploit modules for the vulnerabilities and released them on Wednesday.
Only three of the seven software projects -- Openbravo ERP, vTiger CRM and ISPConfig -- patched the issues reported to them. Three projects said that they won't fix the authenticated remote command execution issue because they believe it's by design and one project did not communicate their plans.