Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - New version (v 1.4.3.1) of BASE available InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New version (v 1.4.3.1) of BASE available

Published: 2009-06-04
Last Updated: 2009-06-04 00:17:10 UTC
by Raul Siles (Version: 1)
2 comment(s)

A new version of BASE (v.1.4.3.1) has been released, fixing a number of XSS flaws as well as a potential SQL injection flaw that have existed through numerous releases of BASE. BASE is a web-based interface to perform analysis of network intrusion data gathered by Snort.  You can download the latest version here.

As these vulnerabilities were publicly announced previously on the Internet, without prior notification to Kevin Johnson (main BASE author) or the BASE project team, I want to emphasize how important responsible full disclosure is. Specially for open-source projects, where the authors devote their time to make the project freely available for everybody, it is fair to let them know first and give them a reasonable time to fix the vulnerability. In this case, only a few days (in particular 6 days) after the announcement a new version was ready. Not bad in my opinion.

Additionally, these flaws can be exploited being authenticated or not, depending on your BASE set up.  Still today, lot of people do not require authentication to use BASE, which is a mistake. If it is your case, please, act as soon as possible!

Finally, as we have seen in the past a few times, do not expose your BASE web interface to the whole Internet. Keep it private within a protected management network.

--
Raul Siles
www.raulsiles.com

Keywords: BASE
2 comment(s)
Diary Archives