October 30, 2014

New version of Netsparker is quicker while using less CPU

(LiveHacking.Com) – Mavituna Security has released version 2.2 of its Netsparker web application security scanner. The new release focuses mainly improving the performance of Netsparker while scanning big websites and reducing CPU usage. As part of the performance drive, Netsparker now makes less requests while crawling a web application (but without sacrificing the coverage) and has the ability to handle huge websites and process very long scans without a performance hit.

Besides the performance improvements, Netsparker 2.2 improves a number of its checking techniques. First its Remote Code Evaluation checks have been improved and checks for Perl Remote code Evaluation have been added. Also Local File Inclusion (LFI) vulnerability checking has been improved along with Remote File Inclusion (RFI) vulnerability checking. RFI checking catches vulnerabilities based on a hacker’s ability to injected a file (not already on the server) into the attacked page and include it as source code for parsing and execution. Also improved is Netsparker’s PHP Source Code Disclosure checking.

Web applications have been under the spotlight recently with sites like LinkedIn and Yahoo! suffering security breaches which resulted in log in details (including email addresses and passwords) being stolen and posted online. Tools like Netsparker are increasingly becoming “must haves” in the arsenal of web application developers. Netspaker is also quite unique in the web application security scanning market in that it includes a built-in exploitation engine to positively confirm vulnerabilities.

Yahoo’s recent security breach, in which details of 450,000 accounts where stolen and posted online, is thought to have occurred because of an SQL Injection attack. Tools like Netsparker can detect various forms of SQL Injection vulnerability. They can also detect Cross Site Scripting vulnerabilities (XSS), Command Injections (where input data is interpreted as an operating system command) and CRLF injection issues (which can lead to XSS and session hijacking attacks).

Mavituna have published a full list of all security checks made by Netsparker and a demo version can be downloaded from their site.

Maintenance and Security Update for WordPress

(LiveHacking.com) – The WordPress team has released WordPress 3.4.1 to fix an important information disclosure vulnerability, in addition to Cross-Site Scripting (XSS) and privilege escalation vulnerabilities.

According to the WordPress blog, this release also addresses 18 bugs with version 3.4, including:

  • Fixes an issue where a theme’s page templates were sometimes not detected.
  • Addresses problems with some category permalink structures.
  • Better handling for plugins or themes loading JavaScript incorrectly.
  • Adds early support for uploading images on iOS 6 devices.
  • Allows for a technique commonly used by plugins to detect a network-wide activation.
  • Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.

WordPress 3.4.1 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

New Django Versions to Fix Security Problems

(LiveHacking.Com) – The Django team has released updated versions of the popular high-level Python Web framework to address several security related problems. Along with the updates to the 1.2 and 1.3 code bases the Django project has also released several advisories for other issues which, while not requiring changes to Django itself, will be of concern to its users.

  • Session manipulation – For some configurations Django sessions are stored directly in the root namespace of the cache, using session identifiers as keys. This results is a potential attack when coupled with an application storing user-supplied data in the cache. To mitigate this, the keys used to store sessions will now be namespaced in the cache.
  • Denial of service attack via URLField – Django includes a field type — URLField — which validates that the supplied value is a valid URL, it can be set to validate the URL by issuing a request to it. By default, the underlying socket libraries in Python do not have a timeout. This can manifest as a security problem in different ways including an attacker supplying a URL under his or her control, and which will simply hold an open connection indefinitely.
  • URLField redirection – When validating a URL, if the URL uses a redirect no validation of the resulting redirected URL is performed, including basic checks for supported protocols (HTTP, HTTPS and FTP). This creates a small window for an attacker to gain knowledge of, for example, server layout; a redirect to a file:// URL, for example, will tell an attacker whether a given file exists locally on the server.
  • Host header cache poisoning – In several places, Django itself, independent of the developer, generates full URLs. Currently this uses the value of the HTTP Host header from the request to construct the URL, which opens a potential cache-poisoning vector: an attacker can submit a request with a Host header of his or her choice, receive a response which constructs URLs using that Host header and, if that response is cached, further requests will be served out of cache using URLs containing the attacker’s host of choice.

The advisories issued discuss different ways in which an attacker could possibly bypass Django’s Cross Site Request Forgery protection mechanism. While not actual bugs in Django itself, they are potential vectors for attack that developers should take into consideration.

According to djangosites.org, Django is used by at least 4000 web sites and the figure is likley to be much higher. All Django users are encouraged to upgrade to the latest versions, and to implement the recommendations in advisories, immediately.

WordPress Releases Security Hardening Update

The WordPress project has announced the releases of WordPress 3.0.5. Dubbed as a security hardening release it is an essential update for those with any untrusted user accounts, but it also comes with other important security enhancements and hardening for all WordPress installations.

Two cross site scripting bugs have been squashed:

  • Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role.
  • Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role.

Also included in 3.0.5 are two security enhancements one of which improves the security of any plugins which were not properly leveraging the WordPress security API.

All WordPress administrators are encouraged to upgrade to this latest version. You can update automatically from the Dashboard > Updates menu in your site’s admin area or download 3.0.5 directly.

Mono 2.8.2 Fixes Source Code Disclosure Bug

MonoThe Mono Project have release Mono 2.8.2 which “contains an important security fix for users of ASP.NET”. The vulnerability, tagged CVE-2010-4225, allows under some circumstances ASP.NET applications to misbehave and return the source code (.aspx) of the application or any other file in the web application directory.

Affected are all 2.8.x versions of Mono. The components affected are the XSP web server and the mod_mono Apache module.

The Mono Project advise every Mono 2.8.xx user to upgrade to Mono 2.8.2 if they host web applications with it.

PHP Floating-Point bug Found and then Fixed

phpA bug has been found in the popular web site scripting language PHP which theoretically could be used in a DoS attack against a web site. The bug is related to the way PHP 5.2 and 5.3 convert largest double-precision floating-point numbers from strings. The number in question is 2.2250738585072011e-308 and if a script wants to convert this from a string the CPU goes into an infinite loop. This could theoretically be used to mount a denial of service attack on a web site and send the CPU into overdrive.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. This is because 32-bit PHP processes use the x87 FPU for doing the conversion where as 64-bit processes use SSE.

The PHP team saw this as a critical bug and have released versions 5.3.5 and 5.2.17 to tackle the problem. It is strongly recommended that you upgrade to the new versions.

For more details see on the bug see the PHP bug report here and news of the new releases here. You can test whether your system is affected by running this script from the command line.

Cross-Site Scripting (XSS) Vulnerability in phpMyAdmin

phpMyAdmin is prone to a cross-site scripting vulnerability due to insufficient user-supplied data sanitization.

According to the vulnerability disclosure, an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. The attacker must entice an unsuspecting user to follow a malicious URI. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

All versions prior to phpMyAdmin 3.3.8.1 and 2.11.11.1 are vulnerable. Updates are available to fix this issue.

Critical Security Update for WordPress

Version 3.0.4 of WordPress has released. This version is available from the update page in the WordPress dashboard or for download here. This is a critical update to fixes a core security bug in WordPress HTML sanitation library, called KSES. This security issue has been discovered by Mauro Gentile and Jon Cave (duck_).

More technical information is available here.

Security Issue in Google Website Optimizer

Google has informed its users directly about a security issue in Google Website Optimizer.

Google has warned the Website Optimizer users about a vulnerability in the Website Optimizer Control Script. According to the Google email, an attacker might be able to execute malicious code on a user site using a Cross-Site Scripting (XSS) attack. This attack can only take place if a website or browser has already been compromised by a separate attack.

[Read more...]

Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Vulnerability

AWStats 6.95 and its prior versions are prone to an arbitrary command-execution vulnerability. This issue occurs when Awstats is used along with Apache Tomcat in Microsoft Windows.

According to securityfocus.com, an attacker can exploit this vulnerability to execute arbitrary shell commands in the context of the webserver process. This may help attackers compromise the underlying system; other attacks are also possible. [Read more...]