Shortly after releasing the BlindElephant report at BlackHat USA 2010, we were contacted by the maintainers of phpBB to contest the results we reported in the whitepaper and the slide deck. They informed us specifically of an error in our interpretation of the affected versions and severity of a recent vulnerability. Additional discussion led us to realize that a simplification made to more easily convey the data could be misleading. Hence, we are releasing an updated Version 2 of the whitepaper and slides to clarify these issues.
Updated material includes the following corrections:
- Corrections to phpBB Data: A vulnerability affecting only version 3.0.7 was wrongly indicated to affect all previous versions, and the severity has been reduced based on feedback from the maintainers. We have also indicated that the obsolete phpBB2 is separate from phpBB3. This made the % of phpBB hosts that are running an out-of-date version of the software drop to 40%.
- Improved Granularity in Vulnerability Indications: The initial whitepaper release indicated the most recent security update for each application and supplied a percentage of discovered hosts running versions older than this; this improperly implied that all previous versions suffered from a vulnerability. Version 2 takes into account parallel supported codebases (eg 1.x and 2.x), as well as more specific information about versions affected and not affected by the most recent security update. We are providing updated graphs for Drupal, Joomla, MovableType, phpBB, phpMyAdmin, and SPIP. This update reduced the % of out-of-date hosts for MovableType to 77%, for phpMyAdmin to 78% and for SPIP to 57%.
- Patching Behavior versus Vulnerability Stance: Ultimately BlindElephant is a tool that only attempts to provide accurate information on remote web application versions; the discussions of the percent of vulnerable hosts are only an attempt to show concrete implications of user patching and update behavior. The percentages should not be compared as a relative measure of security of the codebases.
Lastly, large-scale tests of BlindElephant provided data on the adoption of various versions of supported applications, and insight into the patch and update behavior of system administrators. We share these results of BlindElephant with the community only to encourage discussion about how these applications are actually deployed and used by websites. This research should not be construed as a recommendation or a criticism of any of the applications discussed.