To discuss this vulnerability and its implications we talked with Amichai Shulman, the co-founder and CTO of Imperva, where he heads the ADC. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM, and Microsoft.
In your opinion, what is going to be the impact of this vulnerability?
This is very alarming for any application using DWR. It requires application programmers to take immediate actions as a workaround. I think DWR writers will have to issue a patched version soon.
Are you expecting more such vulnerabilities in the near future?
I certainly do. Most people think of AJAX vulnerabilities in terms of a client side problem. However, in reality AJAX is vulnerable to server side vulnerabilities as well. This is 100% true for AJAX frameworks that comprise a server side component (DWR, GWT, Amazon). This type of vulnerability is also very likely to affect applications that use client only frameworks because programmers tend to shift the application logic from the server to the client, and they sometimes shift security logic together with it. The result is that the server is left vulnerable to direct attacks that bypass the "legitimate" client side code.
What do you think about the full disclosure of vulnerabilities?
The guiding principle of the Imperva Application Defense Center (ADC) is to protect customers. As a result, we follow the vulnerability disclosure protocol of each platform we research. For example, when working with commercial software platforms like Oracle, IBM DB2, Sybase, and Microsoft SQL Server, the ADC submits vulnerability discoveries to the appropriate vendor so they can issue a patch or fix in a timely fashion. Once a patch has been released, the ADC publishes a free technical advisory that explains the vulnerability and how to mitigate it. To protect our customers until a patch is released, Imperva automatically updates our SecureSphere Database security appliances and web application firewalls with the means to identify and mitigate the attack.
In the case of open source platforms, like AJAX, formal vulnerability disclosure protocols do not exist. However, customers do have access to the source code so they are able to take immediate corrective action without having to depend on the platform provider for patches. In this case we believe the best course of action for protecting customers is to inform them publicly as soon as we can provide both information about the vulnerability and a recommended mitigation techniques. This arms organizations with the knowledge they need to take preventive measures and secure vulnerable applications. In the case of the DWR vulnerability, which is very straightforward and does not require any special tools to exploit, this approach benefits programmers who are responsible for securing their applications, not attackers. That's because the nature of this vulnerability is so simple to exploit that its is likely hackers are aware or will soon become aware of it independent of any public disclosure.