What are the most common vulnerability types in well designed code bases like Joomla or vBulletin?

Question

I know that in poorly made codebases SQL injection and javascript injection were big issues. In properly designed codebase these should be fixable by only accepting form data through a sanitization bottleneck module and by explicitly enforcing this constraint on mods and plugins originating from the community, via code review.

Well, so once those issues are fixed, what are the remaining major threats / sources of known vulnerabilities? Are there similarly straightforward potential sanitization solutions for them?

Answer 1

I dunno for the first, but I have certain answer for the second.

could they be fixed by sanitization?

NO

There is no such thing like "sanitization".
Quite contrary - a belief in a such magic wand IS the source of all injections.

There is no malicious data. There are different data in different circumstances.
And "general sanitization bottleneck" will never do any good, spoiling innocent data and leaving malicious one as is.

Whatever "sanitization" (or, better - formatting) should be done depends on the destianation of the data.

And just "daemon" (e.g. SQL, HTML) is not a whole destination point with single rule.
Say, for the HTML you need either htmlspecialchars() or urlencode() for the different destinations.
For the SQL it is FOUR different formatting techniques:

• for strings
• for numbers (can be combined with the previous one though)
• for the identifiers
• for the syntax keywords

each of them require completely different formatting, totally unknown at the point of your magic bottleneck.