Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Submission + - Sourceforge Review Exposes Holes in Smaller Open Source Projects (

msm1267 writes: Metasploit exploit modules were released recently for post-authentication command execution and arbitrary file-read vulnerabilities in smaller enterprise open source applications such as Moodle, vTiger CRM and Openbravo ERP. The seven packages in question have been downloaded more than 16 million times over the lifetime of the projects.
“Sixteen million downloads over the lifetime of those projects is a pretty decent install base,” Metasploit's Tod Beardsley said. “Coupled with the adventures I had in vulnerability disclosure with these guys indicated to me that they are not very well-practiced at receiving vulnerability notification, which makes me think we may have been the first or among the first that have ever contacted them about security vulnerabilities.”
Some of the software projects listed here did not acknowledge these were even security issues; five of the seven have not been patched, for example.
“In Moodle’s case, they don’t believe it’s a bug, which is fine. They can believe that. I talked to them, and they have reasonable arguments why it’s not a bug and normal. But in the end, pen testers don’t care if a vendor calls it a bug or not. If they can get a shell off of it, it’s good for the bad guys and it’s good for penetration testers.”

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Sourceforge Review Exposes Holes in Smaller Open Source Projects

Comments Filter:

"We don't care. We don't have to. We're the Phone Company."