Having detected a serious security hole - Expert Of FPT DPS is internationally recognized.
A serious OpenLiteSpeed vulnerability was discovered by Ngo Anh Duc - a security expert of DPS Cybersecurity COE. It has been recognized as a bug with the code CVE 2020-5519 (https://nvd.nist.gov/vuln) / detail / CVE-2020-5519). PenOpenLiteSpeed is originally a web server, behind NGINX and Apache. OpenLiteSpeed owns a GUI console for web management admins and in this console allows to customize the settings of external apps to configure the server to execute commands.
During the trial version of LiteSpeed’s Enterprise, Duc and his colleague Nguyen Xuan Hoa (DPS.ADD) performed log configuration for web server and discovered the logging function was flawed. Specifically, the WebAdmin dashboard in OpenLiteSpeed (Community edition) does not strictly check required URLs. The impact of this error is quite serious, when hackers can completely rely on that to hijack the server.
Along with reporting the flaw, Mr. Ngo Anh Duc has also introduced a solution for OpenLiteSpeed that is filtering user input data before processing on the server. After receiving the report of Ngo Anh Duc, OpenLiteSpeed immediately recognized and thanked him, and agreed to confirm with Miter to assign CVE ID. Thanks to Mr.Duc’s solution, OpenLiteSpeed fixed the flaw within days.
Mr Ngo Anh Duc shared: “I am very satisfied with the cooperation of LiteSpeed and also realized a lesson is: the bigger the system, the easier it is to have very simple holes.”
This discovery is a testament to the strong security capabilities of DPS Cybersecurity COE experts. Earlier in 2019, Ngo Anh Duc also became the first individual of FSOFT to achieve a certificate of professional attack security - OSCP of Top 5 desirable penetration and test certificates for security experts and is the only certification that requires a practice test.