Topic: The supposed "poison NULL byte vulnerability"
Edit: After you've read this, make sure to read my fantastic follow-up
About two weeks ago, a security advisory titled multiple PHP application poison NULL byte vulnerability popped up on BugTraq. The advisory claimed that various PHP applications, specifically phpBB and PunBB, were vulnerable. Now I can't speak for any other application, but I can assure you that PunBB is NOT. The original author of the report probably thought PunBB was a fork of phpBB and assumed PunBB was vulnerable as well. He sure as hell can't have looked at the source code, that's for sure.
Just for fun, I decided to check out the Wikipedia entry on BugTraq. Here's a quote from that article:
Bugtraq was created on November 5, 1993 by Scott Chasin in response to the perceived failings of the existing Internet security infrastructure of the time, particularly CERT. Bugtraq's policy was to publish vulnerabilities, regardless of vendor response, as part of the full disclosure movement of vulnerability disclosure.
Elias Levy, aka Aleph One, noted in an interview that "the environment at that time was such that vendors weren't making any patches. So the focus was on how to fix software that companies weren't fixing."
That's great, but fast-forward 13 years and we end up with this: Anyone can write up a vulnerability report on a piece of software and that information will be assumed to be correct. Not only that, the information will spread like wildfire making it impossible to "repair the damage" in case the information turns out to be false. You see, once something appears on BugTraq, a million other security databases include the report on their websites and on their mailing lists.
Now I'm fine with the "guilty until proven innocent" approach when it comes to security, but come on! Isn't there some kind of review process involved in all of this? I think us "vendors" need to have a say in this before a bogus report ends up on every security website in the world. Sure, we can reply to the BugTraq posting and dispute the report, but that has virtually no impact.
Oh well, I guess I'll go e-mail a bunch of vulnerability databases.