Christopher Kunz reports on the existence of another web app worm, this time exploiting in the widely used Mambo portal/CMS system.  Like the Santy worm that attacked phpBB, Elxbot identifies vulnerable installs via Google, but goes way beyond simple site defacement.

Jeff Moore discusses this as a good example of why web apps need better installation/update systems.  He’s absolutely right.  Wordpress, one of the most popular open-source web apps, has a fairly decent installer, but is a nightmare to upgrade.  The developers don’t even release “upgrades” per se, but give users some minimal instructions on what files to overwrite and what to skip.  Even though the XML-RPC vulnerability that hit Wordpress and many other PHP-based apps a few months ago was patched immediately, it seems likely that there are large numbers of Wordpress users that are unaware of the problem and have not installed (it’s difficult to find sources for stats on this, though).

Beyond that, this underlines the need for both educating developers on secure coding practices, and developing freely available tools to help developers audit their applications.  This is particularly important for the open-source web applications that drive a large portion (a majority?) of dynamic web sites.  An Information Week article from a couple weeks ago that discusses how malicious coders are now targeting applications (including web apps) quotes Howard Schmidt:

In an e-mail, Howard Schmidt, a noted cyber-security expert and former CSO for both Microsoft and eBay, said the SANS report highlights the utility of hardening the presentation and application layers as a means to reduce cyber security events. “The first stop on the way to fix this is through secure coding and better QA of development processes, penetration testing on compiled code as well as vulnerability testing of integrated deployed applications via Web front ends,” he wrote.

Hopefully more people will start to realize this before the problem gets worse.