0x01 : Vendor description of software
-------------------------------------
From the vendor website:
"evalSMSI is a web application, developed in PHP / MySQL, to evaluate the
Information Security Management System for some entities."
0x02 : Vulnerability details
----------------------------
evalsmsi 2.1.03 contains multiple vulnerabilities.
> action. The only way that can be done is by attacking it every way
> possible, pushing the impossible, and see why and how the security
> breaks. That’s exactly what the OSSTMM does.
>
> During past ISO meetings, the Subcommittee 27, mostly known for its
> ISO/IEC 27000 family (Information Security Management System) and
> ISO/IEC 15408 (Common Criteria), already discussed the topic within
> different working groups (WG) with no clear outcome. Meanwhile, some
> ISECOM members, like Dr. Fabio Guasconi in Italy and Heiko Rudolph
> together with Aaron Brown in Germany, have become active participants in
> their respective ISO national bodies to help inform their ISO colleagues
systems in action. The only way that can be done is by attacking it
every way possible, pushing the impossible, and see why and how the
security breaks. That’s exactly what the OSSTMM does.
During past ISO meetings, the Subcommittee 27, mostly known for its
ISO/IEC 27000 family (Information Security Management System) and
ISO/IEC 15408 (Common Criteria), already discussed the topic within
different working groups (WG) with no clear outcome. Meanwhile, some
ISECOM members, like Dr. Fabio Guasconi in Italy and Heiko Rudolph
together with Aaron Brown in Germany, have become active participants
in their respective ISO national bodies to help inform their ISO
