HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: January 2010

Top Five Web Application Vulnerabilities 1/11/10 - 1/24/10

1) HP Power Manager 'formExportDataLogs' Directory Traversal Remote Code Execution Vulnerability

HP Power Manager is susceptible to a remote Directory Traversal vulnerability that could give an attacker the means to overwrite arbitrary files and execute arbitrary code with system level privileges. Successful exploitation could lead to a complete system compromise. Updates which address this issue have been released. Contact the vendor for further information.


2) SAP BusinessObjects Multiple Input Validation Vulnerabilities

SAP BusinessObjects is susceptible to multiple vulnerabilities including Cross-Site Scripting, remote URI-redirection, and information-disclosure. These can be exploited to execute code in the browser of an unsuspecting user, steal cookie-based authentication credentials, perform phishing attacks, and access sensitive information. Updates which address these issues have been released. Contact the vendor for more details.


3) IBM Lotus Web Content Management Login Page Cross-Site Scripting Vulnerability

IBM Lotus Web Content Management is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage these issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which address this issue have been released. Contact the vendor for additional information.


4) Sun Java System Web Server WebDAV Format String Vulnerability

Sun Java System Web Server is susceptible to a format-string vulnerability because it does not properly sanitize user-supplied input. Successful exploitation can give an attacker the means to execute arbitrary code within the context of the affected application. Failed attempts would likely result in a DoS condition. Updates which address this issue have not yet been released. Contact the vendor for additional information.


5) phpMyAdmin 'unserialize()' Remote Code Execution Vulnerability

phpMyAdmin is susceptible to a Remote Code execution vulnerability. Attackers can leverage this vulnerability to execute arbitrary code in context of the web server process and possibly gain  unauthorized access to the application or otherwise escalate their privileges. Additional attacks are likely possible. Updates which address this issue have been released. Contact the vendor for more details.


China, Google and Web Security

Google recently announced that its China based location was the victim of an attack that targeted and compromised a critical internal system used to track the email accounts of those on China’s watch list. The system was designed to comply with government warrants for information concerning Chinese human rights activists. Some suspect China of targeting this specific system to circumvent the official warrant process in order to collect data on other Chinese citizens .



More alarmingly, this attack was not exclusively directed at Google. In all, at least 34 companies including Yahoo, Symantec, Northrop Grumman, Dow Chemical, Washington-based think tanks, and assorted human rights advocacy groups were compromised by the spear phishing attack .


At first rumored to be another Adobe flaw, closer examination by McAfee Labs revealed that the attack (code named “Aurora”) was actually a sophisticated zero-day vulnerability exploit against Microsoft’s Internet Explorer .


What should be most worrisome is not the zero-day in all versions of IE, but the new crop of “advanced persistent threats” that are siphoning money and intellectual property. These APTs are professionally organized, have extensive funding and employ smart people. The result: triple encrypted shell code which downloads multiple encrypted binaries used to drop an encrypted payload on a target machine which then establishes an encrypted SSL channel to connect to a command and control network . This is serious stuff.


Only a few years ago the majority of web-based attacks seemed to be launched by individuals or small groups to collect credit card information. These attacks had seriously consequences, but the magnitude of the losses and the organization of the black market economy were still child’s play by today’s standards.


Current threats from the Eastern bloc are directed at massive monetary gain - probably in the area of tens of millions of dollars . China appears hell bent on stealing state secrets and intellectual property from both governments and private business alike. The stakes are much higher, and the bad guys are much more capable of pulling off the heist.




We have known for a long time that phishing scams have been very effective at exploiting random samples of unsuspecting users. However, the focused targeting of private business is a newer, more sophisticated and lucrative threat. These spear fishing attacks are intensely researched and aimed at top level executives, and will become more common as time passes.


In a directly related point, consider the curious appearance of a new website called iiScan. This service offers to scan your web application for vulnerabilities - for FREE. Just sign up and point their software to your website, and they will, ‘figure out’ how vulnerable to an attack you might be. After the scan is done, they will email you a PDF based report to your email account.


Placing trust is such services has been discussed before, especially concerning cloud security.  It doesn’t take much to imagine all the things that could go wrong in this scenario, even if IE didn’t have multiple zero-day exploits, and a proof of concept embedded malicious PDF exploit had not just been released.


 It might very well turn out that NOSEC Technologies Co., Ltd. (the company behind iiScan) may be legitimate, or at least may have started out that way. Even if they are not actively attacking websites, it shouldn’t take long for them to become a high profile target for either private hackers, or for the Chinese government itself. What would be a better target than a database full of public websites and their known vulnerabilities? These sites, if not already compromised by iiScan, could be used as command and control drones, payload hosts, pieces of a distributed file-system, or merely SPAM relay channels.


Education and Armament


Everyday adds more proof that web application threats are being crafted by motivated professional organizations with deep pockets. Security needs to be taken very seriously, practiced diligently, and all users need be paranoid when surfing the web. This is especially important because the media is very cautious to report all the gory details of the real impact of cybercrime .


Installing preventative software is a good idea, too. Some of the latest tools and devices may help to prevent drive-by malware, spear phishing payloads, etc. Install Firefox and use plug-ins that flag suspected malware host sites. Use a personal web proxy, and restrict evil IPs. You can get the most comprehensive list of Korean and Chinese blocks (including iptables, htaccess files, dns zones, etc) from this page. Above all, stop clicking on those emails from your least technical friends that include an attached PowerPoint or PDF file to deliver a punch line. The villains take the Internet very seriously, and so should you.


UPDATE (1/19/2010):


Thanks to the Full-disclosure list (Marc, Smasher, Dan) for pointing out that the exploit was not nearly as sophisticated as McAfee has led us to believe.


The exaggerated sophistication of the attack re-enforces my point about media FUD - ironic in its own way because the media is quick to exaggerate the sophistication of the attacks, yet minimize the damage associated with them. It’s like getting up off the floor after a sucker punch and taunting "That didn't hurt". The reality is that simple attacks are still very effective - our security education and implementation still has a long way to go.


However, the real point of this article was to encourage a little more critical thinking surrounding software security. Putting blind faith in any type of security device (airport scanners, webapp scanners, etc.) is not good security practice.







".htaccess" for the win! Stomp overaccesible folder vulns.

All too often organizations are exposing themselves far too much due to lazy administration and the web applications they install aren't doing them any favors.

I doubt any one has the numbers, but websites that are just "installs" of some CMS, blog, or (insert open source app here) un(tar|zipped) into the default directory of an Apache web root are splattered across the Internet. That said, I remember appreciating this simplicity; it certainly allows any developer with any amount of tomfoolery/mad skillz in his/her bones (but mostly none) to create a webpage and have an Internet presence. The real reason these settings are default are probably due to either laziness or for parading their features (although it would be great if Apache was more secure from a default perspective). I'm off topic here, but it's not all Apache. The distributions need to take responsibility for distributing the default config themselves... why isn't there an "apache2-secure" overlay/package that would try and install a more secure set of defaults for the average user? (Answer: the maintainers are not the average user)

Whatever, I don't want to get knee deep into Apache politics and the reasons for feature X being enabled by default. Nothing changes the fact that most default installations of Apache have things like directory listings enabled as well as allowing any installed web programming modules to execute file extensions they register for inside the web root and any subdirectory. Like I said, this is great for the beginning user that doesn't know how to massage httpd.conf files, but it's scary how common these defaults are left enabled.

One of the features Apache users could probably do with out by default are Distributed configuration files (".htaccess" files). These files make it all too easy for people to forget about the root directory settings and allow their to further configure any specific settings it requires. The side effect here is that you are now also relying on the web application to remove the privileges of the web root to function securely. Of course I could come up with a bulleted list of why we need this functionality; I've used it and I'm about to advocate its use, but I challenge whether its necessary for a default installation. If you expect the Apache user to edit the httpd.conf file during the installation of Apache (to set the ServerName/IP/VirtualHosts), why not just expect that user to edit the httpd.conf file for any applications that require specific configurations? I dunno...maybe that's a little too draconian of me. But hopefully Apache doesn't make it more complicated by changing its config files to Lua...

Since we do have this feature though, how can OSS projects take advantage of it...

There is no excuse for open source apps to be distributed without ".htaccess" files limiting anonymous access to files that shouldn't be publicly accessible. There have been literally hundreds of vulnerabilities because some web applications internal files were exposed in some sub directory of the installed application.

The above is all you need to do for PHP. Just drop that ".htaccess" file in any folders your OSS project has that shouldn't be accessible publicly and voila! your done. No more information disclosure, variable overwriting, XSS, and other vulnerabilities.

In fact, if you want to take it to the next step, you should change your error reporting of 40's to the same response. Thus attackers won't be able to fingerprint your web application by the existence of your app's library files (like wafp does). Here is a snip-it to accomplish that:

Although the existence of your public files might be enough to fingerprint it, either way though your OSS project will be better off.

Of course even if you are an administrator of a web application, this is something that you can do as well. If you know certain folders are just for temporary storage by a web app or are part of a library, just create the aforementioned ".htaccess" files and stop random vagabonds from squatting on (some of) your vulnerabilities.


Top Five Web Application Vulnerabilities 12/15/09 - 1/10/10

1) Microsoft IIS ASP Multiple Extensions Security Bypass

IIS is susceptible to an ASP extensions security bypass vulnerability. IIS versions 5.x and 6.x determine a file extension by only using a portion of the filename before a “;” (semicolon), which can be leveraged to allow remote attackers to bypass intended extension restrictions of third-party upload applications. A patch has not yet been released. Contact the vendor for additional information.


2) PHP 'htmlspecialcharacters()' Malformed Multibyte Character Cross-Site Scripting Vulnerability

PHP is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which address this vulnerability are available. Contact the vendor for more details.


3) IBM Rational ClearQuest CQWeb Interface Password Information Disclosure Vulnerability

IBM Rational ClearQuest is susceptible to a password disclosure vulnerability. Successful exploitation will give an attacker access to sensitive information and aid in conducting further attacks. Updates which resolve this issue are available. Contact the vendor for additional information.


4) Ruby on Rails 'protect_from_forgery' Cross-Site Request Forgery Vulnerability

Ruby on Rails is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests that appear completely legitimate, and can be used to abuse any type of functionality the web application contains. A fix has not yet been released. Contact the vendor for further details.


5) RoundCube Webmail Cross-Site Scripting Vulnerability

RoundCube Webmail is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage these issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. A fix has not yet been released. Contact the vendor for additional details.


Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.