Open source web apps often insecure, new tool discovers

Security company Qualys has released a new open source tool, 'BlindElephant', which can accurately fingerprint web applications down to version level in order to better manage the security issues which now plague such software.

According to the company, the need for such a tool is pressing. Web applications, including open source apps, are a huge area of potential vulnerability for most organisations and the reason is that it is difficult to assess what is running on a website and to what version number.

Using BlindElephant to assess a range of popular open source web apps running on 1,084,152 hosts, the company said it had found extensive vulnerabilities in the apps commonly running on many sites. This is also an area where open source has a strong presence.

Seventy-seven percent of sites running the blogging tool Movable Type showed critical vulnerabilities, somewhat better than the 91 percent of sites using the Joomla! content management system, the 95 percent running Mediawiki, and the 78 percent using phpMyAdmin database management software.

Others showing significant levels of critical vulnerabilities included Moodle (74 percent affected), Drupal (69 percent), and SPIP (57 percent affected).

WordPress reduced critical vulnerabilities to the low level of 4 percent, something Qualys puts down to that application’s easy, reliable updating design, while the latest version of phpBB, version 3.x, showed zero percent vulnerabilities.

“Standard web applications are commonly targeted by attackers and then subverted for malware distribution,” said Qualys CTO, Wolfgang Kandek.

“We are releasing the BlindElephant tool as an open source project in order to allow users to protect themselves and monitor their web applications. It is also an initial stepping stone to work with the community to increase the number of fingerprinted web applications.”

The company emphasised that the vulnerability percentages did not reflect any inherent issue with open source software when compared to proprietary software.

BlindElephant would not check for vulnerabilities so much as identify applications to a high degree of accuracy. This was often a problem for admins, Kandek said, and the source of many problems in dealing with vulnerabilities.

The tool computed a hash for each application-related file it found on a host, which made identifying precisely which application the file related to a matter of comparing files to a pre-computed fingerprint database possible.

The source code can be downloaded here under LGPL. An explanatory white paper is also available.