HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: June 2010

Almost all security and compliance professionals expect more data breaches in 2010

There used to be an old expression in the security industry (or at least in our office): sell the fear. At this point, it sounds like it's the security and compliance professionals themselves who have bought it. According to a recent survey of those groups conducted by nCircle, 95% believe that data breaches will increase in 2010. That can't be good. It seems there is hardly anybody who doesn't think the bad guys are getting further and further ahead of security efforts. Security and compliance professionals as a group don't tend to be the most optimistic bunch, but that's still a huge percentage.

 

Why are security efforts lagging so far behind? According to the survey, part of the issue is funding. That's not surprising, considering the economic mess we've just survived. But that’s also complicated by the fact that security and compliance professionals have historically had a hard time convincing management to spend the money for security efforts, even in good economic times. As well, web applications are getting more complicated and harder to secure, not less. Cyber-criminals are getting more organized, not less. And the likelihood of a catastrophic attack on infrastructure is only growing, not shrinking. Hopefully, it won't take the equivalent of a cyber security Gulf oil spill before security efforts can at least match those of the criminals.

 

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=225700818

Context Matters for Cross-Site Scripting Filters

During a recent pen-testing exercise, Cross-Site Scripting (XSS) was as usual the most common issue found. Some sites had issues numbering in the hundreds (with nearly every parameter on every page being vulnerable). This should no longer be surprising to anyone; XSS has been one of the most common vulnerabilities for years. What was most interesting was that in several of these cases, the web site in question was doing very effective HTML filtering. They were either completely stripping all HTML tags, doing some crazy parse-and sanitize routine, or some other filtering that would make a traditional XSS attack impossible. However, these pages were still vulnerable. Why? They were reflecting parameters inside of JavaScript, where different rules apply.

 

When a parameter is reflected inside of JavaScript, an attacker no longer needs to inject an HTML tag to execute script. After all, a script is already being executed. It’s usually only a matter of using one or two characters to break out of the current statement to begin executing arbitrary code. Consider the following simple case:

 

http://example.com/news.php?date=2010-01-01

...

news.php:

<script>
make_ up_some_news('<?php echo strip_tags($_GET["date"]); ?>');
</script>

 

PHP's strip_tags() would remove a traditional XSS attack of the form “<script>alert('XSS');</script>”, but no tags are needed here. http://example.com/news.php?date=');alert('XSS');// will execute script without needing < or >. Even PHP’s htmlspecialchars() would not fix this, unless it was also passed ENT_QUOTES, as it will allow single quotes to pass through by default. HTML only defines the following characters as “special”, which could break the flow of the page:

 

Character

Description

"

quotation mark

'

apostrophe 

&

ampersand

less-than

greater-than

 

To protect a reflection in JavaScript, you would need to filter out newlines, semicolons, curly braces, square braces, parenthesis, and nearly every other non-alphanumeric symbol, depending on where the parameter is being reflected. Reflecting a parameter inside of a <style> tag or attribute has similar problems. It’s not necessary to use angle brackets inside of CSS in order to execute JavaScript, fetch a remote URL, or do other potentially dangerous things.

 

Of course, any list of “dangerous” characters or sequences runs the risk of being non-comprehensive. By far the safest and easiest way to protect yourself is to use a whitelist-style filter instead of a blacklist-style one. Whitelisting involves accepting only what is ‘good’ instead of trying to reject everything that is bad.  Instead of using strip_tags, in this case, try to parse the input as a valid date matching the yyyy-mm-dd pattern you expect. If you’re expecting an integer, require an integer, etc. If it doesn’t match, throw an error. This is not a time to be liberal with what you accept (and reflect)! If these pages were only accepting input in a specific format instead of trying to remove “dangerous” characters or sequences, there would not be a problem, regardless of where it was being reflected.

Top Five Web Application Vulnerabilities 06/07/10 - 06/20/10

1) Microsoft Help and Support Center Multiple Vulnerabilities

 

Microsoft Help and Support Center is susceptible to multiple vulnerabilities. The first, a trusted document whitelist bypass vulnerability, can be utilized to give remote unauthenticated attackers access to arbitrary help documents which can then be leveraged to exploit other attacks (and specifically the following issue). Microsoft Help and Support Center is also prone to a Cross-Site Scripting vulnerability which if exploited can be used to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or to execute malicious code on end user systems. As of this writing a patch has not been released for these issues. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/40725
http://www.securityfocus.com/bid/40721

 

2) McAfee Unified Threat Management Firewall 'page' Parameter Cross-Site Scripting Vulnerability

 

McAfee Unified Threat Management (UTM) Firewall (formerly SnapGear)is susceptible to a Cross-Site Scripting vulnerability. These vulnerabilities can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve this vulnerability are available. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/40708

 

3) Apache 'mod_proxy_http' Timeout Handling Information Disclosure Vulnerability

 

Apache is susceptible to an Information Disclosure vulnerability. Successful exploitation would give an attacker unauthorized access to sensitive information which would likely lead to more damaging attacks. Updates which resolve this vulnerability are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/40827

 

4) DotNetNuke Multiple Security Vulnerabilities

 

DotNetNuke is susceptible to multiple vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, and Information Disclosure. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests that appear completely legitimate, and can be used to abuse any type of functionality the web application contains. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Information disclosure can give an attacker access to sensitive information which could be used to conduct more damaging attacks. An update which resolves these issues has been released. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/40947

 

5) Moodle Multiple Vulnerabilities

 

Moodle is susceptible to multiple vulnerabilities including Cross-Site Scripting, HTML Injection, and a security bypass issue. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, access sensitive information, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these issues are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/40944

Mass web attack comprimises thousands of sites via SQL Injection

Thousands of web sites including the Wall Street Journal and the Jerusalem Post have been compromised in what appears to be a massive new wave of SQL Injection attacks. We've seen this before...it's the same exploitation of Microsoft IIS running with Active Server Pages that we saw in 2008. The attackers are not exploiting a bug in any specific Microsoft product but are instead exploiting application security bugs created by poor software development.

 

SQL injection is a method of attack where an attacker can exploit vulnerable code and the type of data an application will accept. Once upon a time, attackers were content just to steal the data contained in the vulnerable database. Now, they use SQL Injection to insert malicious HTML code on the vulnerable page that redirects users to sites where malware is downloaded and installed on their systems, which in most cases will give the attackers complete remote control of the victim's system.

 

Fortunately, HP and Microsoft released a free tool to help organizations find these SQL Injection vulnerabilities. The Scrawlr (short for SQL Injection and Crawler) is a tool that will crawl a website (i.e., follow every link, hidden or otherwise) and then audit it for SQL Injection vulnerabilities. Specifically, the Scrawlr is designed to detect SQL Injection vulnerabilities in dynamic web pages that will be indexed by search engines. When Scrawlr detects what it thinks is a SQL Injection vulnerability, it will try to extract the database name and type, as well as the names of all the user defined tables in the database. This proves that data extraction is possible and that the SQL Injection vulnerability is real and not a “false positive”.

 

You can download Scrawlr for free here:

 

https://h30406.www3.hp.com/campaigns/2008/wwcampaign/1-57C4K/index.php?mcc=DNXA&jumpid=in_r11374_us/en/large/tsg/w1_0908_scrawlr_redirect/mcc_DNXA

 

You can also read more about Scrawlr and its capabilities here:

 

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx

 

And you can read more about the mass web attack here:

 

http://www.computerworld.com/s/article/9177904/Mass_Web_attack_hits_Wall_Street_Journal_Jerusalem_Post?taxonomyId=17

 

Top Five Web Application Vulnerabilities 05/24/10 - 06/06/10

1) IBM Lotus Connections Multiple Vulnerabilities

 

IBM Lotus Connections is susceptible to multiple vulnerabilities including Cross-Site Scripting and information disclosure. Successful exploitation would give an attacker unauthorized access to sensitive information and the ability to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Fixes which resolve these vulnerabilities have been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/40445

 

2) HP ServiceCenter Unspecified Cross-Site Scripting Vulnerability

 

HP ServiceCenter is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this vulnerability are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/40547

 

3) MySQL Enterprise Monitor Multiple Unspecified Cross-Site Request Forgery Vulnerabilities

 

MySQL Enterprise Monitor is susceptible to multiple Cross-Site Request Forgery vulnerabilities. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests that appear completely legitimate, and can be used to abuse any type of functionality the web application contains. Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/40537

 

4) HP TestDirector for Quality Center Unauthorized Access Vulnerability

 

HP TestDirector is susceptible to an unauthorized access vulnerability. Attackers could leverage this issue to modify data on the affected system. Updates which resolve this vulnerability are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/40371

 

5) Apache Axis2 'xsd' Parameter Directory Traversal Vulnerability

 

Apache Axis2 is susceptible to a parameter directory traversal vulnerability. Successful exploitation would give an attacker unauthorized access to sensitive information. Information gained through these methods could possibly lead to more damaging attacks. As of this writing, a fix has not yet been released. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/40343

 

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.