Hosting generously provided by
|
|
11/15/03 Microsoft Frontpage Overflow
|
First off sorry for the lag on site updates. I'll be gone all next week and I've been busy. - admin
A chunked encoding overflow has been discovered in fp30reg.dll which can allow a remote attacker to execute commands.
More importantly this took 11 months to get fixed. Rele
vant information from the advisory.
"Public disclosure on November 11, 2003"
"Discovered and advised to Microsoft January 30, 2003 by Brett Moore of
Security-Assessment.com"
|
|
|
|
11/6/03 "The Anatomy of Cross Site Scripting" Paper released
|
has released a cross site scripting paper which provides examples
of bad php code, and also talks a little bit about automating an attack. Additional papers on XSS can be found in our
"Cross site scripting (XSS) flaws are a relatively common issue in web application security, but they are still extremely lethal. They are unique in that, rather than attacking a server directly, they use a vulnerable server as a vector to attack a client. This can lead to extreme difficulty in tracing attackers, especially when requests are not fully logged (such as POST requests). Many documents discuss the actual insertion of HTML into a vulnerable script, but stop short of explaining the full ramifications of what can be done with a successful XSS attack. While this is adequate for prevention, the exact impact of cross site scripting attacks has not been fully appreciated. This paper will explore those possibilities." - Gavin Zuchlinski
|
|
|
|
11/6/03 Oracle Application Server 9i and RDBMS Multiple SQL Injection Vulnerabilities
|
"Oracle's RDBMS, a leading database server package, supports stored packages
and procedures through the use of PL/SQL. These packages and procedures can
be accessed through Oracle's Application Server's Portal module. Oracle
Application Server is a web server designed for Oracle applications. Many of
the PL/SQL packages and procedures are vulnerable to SQL Injection. Using
these vulnerabilities an unauthenticated attacker can gain access to all
data in the database from the Internet." -
|
|
|
|
10/29/03 New Versions Of Apache Fix Security Vulnerabilities
|
Users are urged to upgrade to the newest versions
of apache to address these issues listed below.
Apache 1.3.28 Advisory
"* CAN-2003-0542 (cve.mitre.org)
Fix buffer overflows in mod_alias and mod_rewrite which occurred if
one configured a regular expression with more than 9 captures."
Apache 2.0.47 Advisory
" *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
the AF_UNIX socket used to communicate with the cgid daemon and
the CGI script. [Jeff Trawick]
*) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and
mod_rewrite which occurred if one configured a regular expression
with more than 9 captures. [Andr? Malo]"
|
|
|
|
10/23/03 Web Security Appliance With Apache and mod_security
|
"As more and more attacks are being carried out over the HTTP layer there is a growing need to push the envelope and bring Web security to new levels. Most existing tools work on the TCP/IP level, failing to use the specifics of the HTTP protocol in their operation. The need for increased security has lead to the creation of application gateways, tools that are essentially reverse proxies with the added capability of protocol analysis. Many commercial solutions are available. This article will demonstrate how you can build your own application gateway with little effort, using open source components that are widely available." - Ivan Ristic
|
|
|
|
10/21/03 Paros Open Source Java Proxy 3.0.2 Released
|
"We wrote a program called "Paros" for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified." -
Below are some added features
"* Improved SQL injection check
* Added default file check for JRUN
* Added default files check for IIS 4, IIS 5 and IIS 6
* Added default files check for ColdFusion
* Added "ReplaceResponseHeader" filter to automatically change pattern in response header
* Added "ReplaceResponseBody" filter to automatically change pattern in response body
* Fixed a problem for default file check with "Scan All" function"
|
|
|
|
10/19/03 mod_security v1.7 released
|
"Mod_security 1.7 has been released. It is immediately available for
download from:
This release contains major new functionality, see changes below for
more details.
About mod_security
------------------
Mod_security is an Apache module whose purpose is to protect
vulnerable applications and reject human or automated attacks.
It is an open source intrusion detection and prevention system
for Apache. In addition to request filtering, it also creates Web
application audit logs. Requests are filtered using regular
expressions. Some of the things possible are:
* Apply filters against any part of the request (URI,
headers, either GET or POST)
* Apply filters against individual parameters
* Reject SQL injection attacks
* Reject Cross site scripting attacks
With few general rules mod_security can protect from both
known and unknown vulnerabilities.
Changes (v1.7)
--------------
* Output filtering has been added to Apache 2.x.
* The ability to filter cookies directly has been added.
* Apache can now pretend to be some other Web server through
the SecServerSignature directive.
* Three new actions: "allow" to finish filter processing and let
the request through, "chain" to chain several filter together
(logical AND), and "skipnext" to skip over filters.
* A new anti-evasion technique to fight null-byte attacks.
* Finally, the module now runs on Netware.
--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]"
|
|
|
|
10/18/03 Microsoft OWA Contains cross site scripting flaw
|
"A cross-site scripting (XSS) vulnerability results due to the way that Outlook Web Access (OWA) performs HTML encoding in the Compose New Message form. An attacker could seek to exploit this vulnerability by having a user run script on the attacker's behalf. The script would execute in the security context of the user. If the script executes in the security context of the user, the attacker's code could then execute by using the security settings of the OWA Web site (or of a Web site that is hosted on the same server as the OWA Web site) and could enable the attacker to access any data belonging to the site where the user has access." - Microsoft
|
|
|
|
10/6/03 Jboss Vulnerable to remote command execution
|
"The impact of this vulnerability should be considered as critical. Throughout its exploitation, any user can gain complete control over a vulnerable system by the means of a remote attack. By sending specially crafted sequence of SQL statements to the TCP port 1701 of the vulnerable JBoss system, an attacker can exploit the vulnerabilities and in worst case execute any code with the privileges of the java process executing JBoss."
-
Read more below.
Vendor Patches
|
|
|
|
10/6/03 Mono 0.28 Released
|
"The Mono Project is an open development initiative sponsored by Ximian that is working to develop an open source, Unix version of the Microsoft .NET development platform. Its objective is to enable Unix developers to build and deploy cross-platform .NET Applications. " - Mono
Version 0.28 was released on October 1st. For more details read the press release below.
|
|
|
|
09/30/03 OpenSSL Multiple vulnerabilities
|
Four security issues have been discovered in Openssl. Below are the relevant snippets from
the advisory below.
"1. Certain ASN.1 encodings that are rejected as invalid by the parser
can trigger a bug in the deallocation of the corresponding data
structure, corrupting the stack. This can be used as a denial of service
attack. It is currently unknown whether this can be exploited to run
malicious code. This issue does not affect OpenSSL 0.9.6.
2. Unusual ASN.1 tag values can cause an out of bounds read under
certain circumstances, resulting in a denial of service vulnerability.
3. A malformed public key in a certificate will crash the verify code if
it is set to ignore public key decoding errors. Public key decode errors
are not normally ignored, except for debugging purposes, so this is
unlikely to affect production code. Exploitation of an affected
application would result in a denial of service vulnerability.
4. Due to an error in the SSL/TLS protocol handling, a server will parse
a client certificate when one is not specifically requested. This by
itself is not strictly speaking a vulnerability but it does mean that
*all* SSL/TLS servers that use OpenSSL can be attacked using
vulnerabilities 1, 2 and 3 even if they don't enable client authentication."
|
|
|
|
09/29/03 Site Updates
|
Sorry for the lack of updates this month I have been VERY busy. Below is a list of changed items.
* I recently added a ton of stuff to the section. The best way to find
stuff is to use our search engine.
* We are STILL looking for people who are interested in writing technical articles under a 'guest feature' section for
www.cgisecurity.com. Proper credit will be given to all authors at the top of each article. Each author will be
allowed a paragraph at the bottom of your article providing a little information about you, or your company.
These articles will focus on some of the subjects listed below.
Web services security
Language specific threats and solutions
Web Server security
Secure server configuration tips
Application server security
Proxy server security
Web Application Penetration testing
Attack signature development
Web Application Intrusion detection
Building a secure application from the ground up
Enterprise security
.NET Security
Anything else relevant to web security
If you or your company is interested in writing an article, please .
|
|
|
|
9/28/03 "What is IIS Security?"
|
Joe Lima from has released an
article on IIS Security fundamentals.
|
|
|
|
09/7/03 Two new Blind SQL Injection papers released
|
This week two new papers on blind sql injection have been released. The first paper was released
by goes into detail on
how to detect blind sql injection, and how to carry out an attack. The paper released by Spidynamic's
covers similar
information, but also contains example 'fixes' for ASP.NET, and JSP applications.
- spidynamics
- webcohort
|
|
|
|
08/30/03 Securing MySQL: step-by-step
|
has published "Securing MySQL: step-by-step" a guide to locking down
your MySQL Server.
"MySQL is one of the most popular databases on the Internet and it is often used in conjunction with PHP.
Besides its undoubted advantages such as easy of use and relatively high performance, MySQL offers simple
but very effective security mechanisms. Unfortunately, the default installation of MySQL, and in particular
the empty root password and the potential vulnerability to buffer overflow attacks, makes the database an easy
target for attacks.
This article describes the basic steps which should be performed in order to secure a MySQL database against both
local and remote attacks. This is the third and last of the series of articles devoted to securing Apache, PHP and
MySQL." - www.securityfocus.com
|
|
|
|
08/30/03 Writers wanted for "Guest Feature" section
|
We are looking for people who are interested in writing technical articles under a 'guest feature' section for
www.cgisecurity.com. Proper credit will be given to all authors at the top of each article. Each author will be
allowed a paragraph at the bottom of your article providing a little information about you, or your company.
These articles will focus on some of the subjects listed below.
Web services security
Language specific threats and solutions
Web Server security
Secure server configuration tips
Application server security
Proxy server security
Web Application Penetration testing
Attack signature development
Web Application Intrusion detection
Building a secure application from the ground up
Enterprise security
Anything else relevant to web security
If you or your company is interested in writing an article, please .
|
|
|
|
08/25/03 Added Penetration Testing Section
|
I have created a quick reference section for the . This section
breaks down some of our documentation into catagories a pen-tester would care about. We provide information on Session ID Attacks,
Cross Site Scripting, SQL Injection, HTTP Header Modification, Cookie poisoning and more. This new section can be found on the blue upper righthand tab above. I will be adding more documentation to this section soon. Please if you think we missed something
.
|
|
|
|
08/24/03 Penetration Testing for Web Applications (Part Three)
|
|
Securityfocus.com has released which talks about
Logic programming flaws, Session ID Issues, and mentions a few useful tools that are used for auditing web applications.
|
|
|
|
08/20/03 MRTG for Intrusion Detection with IIS 6
|
I found this interesting article on securityfocus which explains how to use mrtg (a popular traffic monitor tool) to
monitor intrusion attempts against a IIS 6.0 machine.
"But MRTG is also a very effective intrusion detection tool. The concept is simple: attacks often produce some kind of anomalous pattern and human brains are well-equipped to spot anomalous patterns, given some way to visualize those patterns. The MRTG does just that -- it gives you the big picture of your network traffic and it also slices it into different views, allowing you to see any counter trends for the last week, month, or year." - securityfocus
|
|
|
|
08/16/03 Basic IIS Lockdown Using Scripts and Group Policy
|
"Microsoft Active Directory and Group Policy have a feature-rich set of tools and processes to help save an administrator time and energy in maintaining security within the domain. Locking down a server requires many steps to complete, and depending on the extent to which the server is locked down, it can take up to several hours. This paper is primarily written for system administrators who want to make their life managing IIS easier using scripts with Active Directory and Group Policy. " - securityfocus
|
|
|
|
8/14/03 Database Server section added
|
I have added a section to this site.
This will cover database server security specifically. Our first additional is .
Now onto a few site changes:
• I have removed the Intrusion detection tab for the time being because I don't feel I'll be working on it
for at least a few months.
• In the next month I will be adding a complete advisory list of every web server, database server, and application
server mentioned on this site.
• We are still looking for someone to create us a animated banner. This site is non-profit
and for this reason we can't afford to pay someone to create us a banner. We will provide the creator
of our banner free advertising, along with proper credits given.
This site is really growing. If you feel we are missing something (In any section) please I run this entire site
in my spare time, and I try to provide quality content
|
|
|
|
08/6/03 Tomcat security page added
|
We have added a to our application server section. This page
will provide links to tutorials, downloads, security documentation, and forums you can go to talk about tomcat
security. We will also be releasing a Resin Application server security section on this website sometime
this month. Documentation on Resin and Tomcat security is scarce so please if you find something we missed
PS: We are looking for a animated banner for our website. Banner donators will receive free advertising.
Please if you are interested.
|
|
|
|
07/29/03 Ldap Injection paper released
|
has released "LDAP Injection: Are your web applications vulnerable"
describing the risks unvalidated user input in LDAP queries within your web applications.
LDAP Injection is very similiar to SQL Injection just with LDAP servers.
PS: Sorry for the contact form downtime. It has been fixed.
|
|
|
|
07/28/03 IIS Security section added!
|
A new section has been added to this website containing links to IIS security patches, tools,
whitepapers, and more. I plan on adding a Tomcat security page after I get back from attending defcon this week.
Please if you see something we missed and feel that it should be added
|
|
|
|
07/26/03 Three vulnerabilities found in popular Oracle software
|
Below are the advisory summaries from each issue.
"Oracle's RDBMS, a leading database server package, supports stored packages
and procedures through the use of PL/SQL. These packages and procedures can
be extended by allowing calls to be made to operating system libraries. Any
library loaded in this way is done so by a process external to the main
RDBMS, namely extproc. Extproc is vulnerable to a classic stack based buffer
overflow. This can be exploited remotely by an attacker. No user ID or
password is necessary." - NGSSoftware
"The Oracle Applications FNDWRR CGI program, used to retrieve report
output from the Concurrent Manager server via a web browser, has a remotely
exploitable buffer overflow." - Integrigy
"The Oracle Applications AOL/J Setup Test Suite, used to trouble-shoot
the Self-Service framework, can be exploited to remotely retrieve sensitive
configuration and host information without application authentication.
The AOL/J Setup Test Suite is installed by default for all 11i implementations." - Integrigy
|
|
|
|
07/23/03 Two new articles from Securityfocus.com
|
Securityfocus has released the following two articles. One on log parsing with microsofts logparser tool,
and the other on sql injection detection on oracle.
|
|
|
|
07/18/03 Apache 1.3.28 released!
|
Apache has released 1.3.28 to address multiple bugs including three minor security fixes.
Below are the security related changes from this announcement.
Security vulnerabilities
* CAN-2003-0460 (cve.mitre.org): Fix the rotatelogs support program on
Win32 and OS/2 to ignore special control characters received over the
pipe. Previously such characters could cause it to quit logging and
exit. We would like to thank the Hitachi Incident Response team for
their responsible disclosure of this issue.
* VU#379828 : The server could crash when going into an infinite loop
due to too many subsequent internal redirects and nested subrequests.
* Eliminated leaks of several file descriptors to child processes, such
as CGI scripts.
Read the entire announcement
|
|
|
|
07/13/03 Site updates
|
Six new papers have been added to our
that (for some reason) didn't included during the site migration. Also a issue has been
corrected with our search engine suddenly not working.
Open call! We are currently looking for someone to create a animated gif for this website. We are seeking
120x60, 259x68, 468x60, 485x60, and 125x125. All designers will be given proper design credits. Please
if you are interested.
|
|
|
|
07/14/03 Google's Cache allows users to view material they would normally have to pay for.
|
Another story I found on slashdot today about how google is caching material and allowing people to view cached copies,
and not have to pay for it. This article also goes into detail of copyright concerns for websites being cached.
"Like other online publishers, The New York Times charges readers to access articles on its Web site. But why pay when you can use Google instead?
Through a caching feature on the popular Google search site, people can sometimes call up snapshots of archived stories at NYTimes.com and other registration-only sites. The practice has proved a boon for readers hoping to track down Web pages that are no longer accessible at the original source, for whatever reason. But the feature has recently been putting Google at odds with some unhappy publishers." news.com.com
|
|
|
|
07/14/03 Browser Wars II: The Saga Continues
|
I found this interesting article linked off of slashdot this morning about web browsers, and the changes
that have happened, and will happen within the next few years. This article also tells a history of the war between netscape and microsoft.
|
|
|
|
07/09/03 Apache 2.0.47 Released
|
Four denial of service conditions have been discovered in apache versions previous to 2.0.47 (Note: 1.3.x isn't affected).
Below are the security snippets from the advisory below.
*) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
of per-directory renegotiations and the SSLCipherSuite directive
being used to upgrade from a weak ciphersuite to a strong one
could result in the weak ciphersuite being used in place of the
strong one. [Ben Laurie]
*) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
temporary denial of service when accept() on a rarely accessed port
returns certain errors. Reported by Saheed Akhtar
<S.Akhtar@talis.com>
. [Jeff Trawick]
*) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
of service when target host is IPv6 but proxy server can't create
IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo
<tsuneo.yoshioka@f-secure.com>]
*) SECURITY [VU#379828] Prevent the server from crashing when entering
infinite loops. The new LimitInternalRecursion directive configures
limits of subsequent internal redirects and nested subrequests, after
which the request will be aborted. PR 19753 (and probably others).
[William Rowe, Jeff Trawick, Andr Malo]
|
|
|
|
07/08/03 Antivirus Concerns in XP and .NET Environments
|
Securityfocus has published
on the possibility of widescale Web services virus infections. Below is a snippet from this article.
"The idea that a single, widespread web service with a vulnerability that can immediately expose tens of millions of people to new threats has security experts paying attention. Today's conventional worms and viruses are infecting millions of computers in ten minutes. But a crafty web service worm could potentially conduct millions of falsified commercial transactions in a matter of minutes, something a MS-Office macro virus can't hope to do. " - SecurityFocus
|
|
|
|
07/08/03 Microsoft .NET three years later
|
Eweek has published about .NET and its advances in the last three years.
"The end of last month marked the third anniversary of Microsoft's launch of its .Net strategy, which
executives such as Chairman and Chief Software Architect Bill Gates said at the time was a "bet-the-company
thing." But three years later, reactions are mixed as to whether that strategy, along with the vision that
accompanied it, has played out as the Redmond, Wash., software developer had hoped." - Eweek
|
|
|
|
07/06/03 New design
|
Welcome to our new layout. As I mentioned previously this site is changing and
lots of new content will be added soon. Below is a list of the new sections.
Coming soon:
Intrusion Detection
IIS Security
Tomcat Security
Resin Security
Secure coding documentation
Most of the content on this site already existed, but due to my previously poor layout it wasn't
very easy to find. If you have comments or suggestions (or if something is broken)
|
|
|
|
06/18/03 Microsoft released Ebook on web security
|
Microsoft has released a massive 919 page ebook covering everything from how to lock down
your web server, web services, web applications, and web application servers. This book is worth
a read and I highly recommend it.
|
|
|
|
06/14/03 Site additions
|
I have recently added , and
sections to this site. Sometime this month I will also be adding a Weblogic, Apache, and IIS security sections that
will provide documentation, and links to relevant security resources.
If there is something you would like to add, or see please
|
|
|
|
5/28/03 Cumulative Patch for Internet Information Service
|
and have
discovered multiple holes in IIS. Two denial of service conditions exist that can allow an
attacker to cause IIS to stop responding. One Cross site scripting issue exists in the 302 redirection
pages, and one buffer overflow that allows command execution as the webserver user. The buffer
overflow requires the user to have upload ability, and Server Side Include permissions.
Fix:
To apply this patch run windows update and install patch "Q811114:"
|
|
|
|
5/28/03 Apache Pre 2.0.46 Denial of Service
|
Below is a snippet from the apache advisory.
Apache 2.0.46 Major changes
Security vulnerabilities closed since Apache 2.0.45
*) SECURITY [CAN-2003-0245]: Fixed a bug that could be triggered
remotely through mod_dav and possibly other mechanisms, causing
an Apache child process to crash. The crash was first reported
by David Endler and was researched and
fixed by Joe Orton . Details will be released
on 30 May 2003.
*) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
affecting basic authentication on Unix platforms related to
thread-safety in apr_password_validate(). The problem was reported
by John Hughes
|
|
|
|
5/27/03 Sun One Application Server Multiple vulnerabilities
|
Has identified four issues in the popular
Sun One application server. They range from Source code theft, Log evasion, Cross site scripting,
and plaintext administrative password storage.
|
|
|
|
5/27/03 Multiple holes in Vignette
|
has discovered eight vulnerabilities in Vignette Application
server.
|
|
|
|
5/17/03 IIS Security and Programming Countermeasures e-book released
|
has released this
on IIS security,
and secure programming. Worth a read if you run IIS on a production system.
|
|
|
Information contained on this website may not be copied without explicit permission.
Best Viewed with Netscape.
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
