HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: September 2009

Top Five Web Application Vulnerabilities 9/14/09 - 9/27/09

1) Novell GroupWise WebAccess Cross-Site Scripting Vulnerability


Novell GroupWise WebAccess is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this vulnerability to execute script code in the browser of an unsuspecting user in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue have been released. Contact the vendor for additional information.


http://www.securityfocus.com/bid/36437


2) IBM Lotus Quickr Multiple HTML Injection Vulnerabilities


IBM Lotus Quickr is susceptible to multiple HTML Injection vulnerabilities. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Fixes which address these vulnerabilities are available. Contact the vendor for more details.


http://www.securityfocus.com/bid/36527


3) IBM WebSphere Application Server Eclipse Help Cross-Site Scripting Vulnerability


IBM WebSphere Application Server (WAS) is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this vulnerability have been released. Contact the vendor for further information.


http://www.securityfocus.com/bid/36455


4) OSSIM SQL Injection, Cross Site Scripting and Unauthorized Access Vulnerabilities


OSSIM is vulnerable to multiple vulnerabilities including SQL Injection, Cross-Site Scripting, and unauthorized access. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or be utilized in conducting additional database attacks. Updates which resolve these issues are available. Updates which resolve these issues are available. Contact the vendor for additional details.


http://www.securityfocus.com/bid/36504


5) IBM Lotus Connections 'simpleSearch.do' Cross-Site Scripting Vulnerability


IBM Lotus Connections is susceptible to a Cross-Site Scripting vulnerability. This can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve this issue are available. Contact the vendor for more information.


http://www.securityfocus.com/bid/36513

60% of Internet attacks now conducted against web applications

New studies have gone a long way in confirming that certain web application security trends are accelerating. The SANS Top Cyber Security Risks report reveals that a full 60% of Internet attacks are now conducted against web applications. It's no longer unpatched operating systems that provide attackers with their main point of entry. In fact, patches for known flaws in operating systems are installed twice as fast as those for web application security vulnerabilities. Apparently, there are so many custom and open-source applications on a typical network that most admins can't even catalog them, let alone update them. And with more than 80% of newly-reported software flaws in common web applications, the numbers will only get worse. Despite the rise in web application attacks, organizations are not doing the simple things to improve their security by scanning for common flaws such as SQL Injection and Cross-Site Scripting. Scanning can go a long way towards preventing your servers from hosting malicious content which can infect users with malware--yet many organizations still bypass this critical step. And it's legitimate websites that have been compromised and are serving as malware servers that are now doing the most damage. Just ask the New York Times.

 

 

 The SANS report is available at http://www.sans.org/top-cyber-security-risks/

 

 

 

Is your .svn showing (like 3300 other sites)?

TechCrunch has an article (pointing back to a Russian security company blog post (translated link)), detailing a scan of 2,253,388 web sites which yielded an amazing 3,320 Subversion's .svn directories.


In case you're you're not familiar with Subversion, it is a version control system similar to CVS. It's .svn directory is likely to have a wealth of information for attackers--account names of developers, change histories, and the most importantly, full copies of source code which may be served in plain text rather than executed on the server side.


At best, disclosure of source code will give your attacker great insight into how things operate and point out any "hidden" files. At worst, this will let attackers find a flaw that leads to compromise of your server. Clearly, neither of those are desireable outcomes.


To check your website for a .svn directory (and don't forget to look for a "cvs" directory as well), there are several options (more than one is probably appropriate):



And don't forget that the .svn directory may exist in any location, not just the web root.


If you find one, you should take several steps to resolve the situation:



  • Move the .svn directory to someplace inaccessible via the web site

  • Reconfigure your web server to not serve files/directories that begin with a dot

  • Check google.com, archive.org and other sites which cache web sites to ensure your source code is not still available--if it is, follow the site's procedure for requesting the content be removed

  • Thoroughly review all exposed files (whether or not you have evidence that they were accessed) to look for user IDs, passwords, database connection strings, etc., and if you find any: change them immediately


The authors of the survey attempted to contact all the sites via email. If you suspect you were on the list and didn't recieve the warning, you may want to review your mail handling procedures, ensure you have appropriate contact email addresses (see RFC 2142 for more info), and add your company to OSVDB.org's "Vendor Dictionary" to allow third parties to more easily contact you.


 WebInspect will help to ensure the security of your web applications by locating insecure .svn directories. Simply SmartUpdate to receive the latest checks and methodologies.

%3c has always been a friend of mine

Ask a developer what's the ASCII code of "A" and most should be able to tell you 65. The good ones will tell you 0x41. If you ask them they should be able to tell you some more off the top of their head. Space... 32, quote... 34, "a" ... 0x61 (I can never remember the base 10, hex was just easier for this). This isn't the coding equivalent of silly or pointless information like knowing all the Vice Presidents. Most developers have learned various ASCII codes over the course of their careers.I learned a lot of ASCII codes about 15 years ago while writing QBASIC apps when I needed to do things like PRINT "You entered " + CHR$(34) + $val + CHR$(34).


The same is true for web security professionals with URL encoded characters. Funny enough these are normally ASCII hex values but the characters you use so much that you memorize in web security are different than developers.The ones I have used so much I know by heart at %3c %3e %2f and %2e.


%3c = <


%3e = >


%2f = /


%2e = .


What URL encoded characters have you used so often that you know off the top of your head?

HTML 5 Form Tags a Risk?

I've tried to keep up with new HTML 5 features, but Billy recently pointed out that INPUT tags have the ability to set regular expression patterns for validation directly in the markup. I think this is nifty and, at least in the demo I tried, a very user-friendly and pretty way to inform the user they've put in a bad value. There are also special types for numbers, dates, times, urls, email addresses and more.


 


However, I think there's a significant risk that we'll see many developers implementing the 'pattern' (and possibly field types) in the markup as the only form of input sanitizing for their application. That may seem ridiculous in this day and age--but you know it's not. We still regularly see people relying on client-side filtering via maxlength attributes or in JavaScript.


 


This new restriction, with its fancy-pants regular expression, may well give people a false sense of security when it comes to tainted input. As fresh developers and technologies enter the arena, old problems will be slapped with a coat of paint and sold as new. So, when talking to your clients, developers and friends, remember to reinforce the mantra:


                Never rely on client-side security.


               


What do you think? Will the 'pattern' option and field types help or hinder actual application security?

Top Five Web Application Vulnerabilities 8/31/09 - 9/13/09

1) Ruby on Rails Form Helpers Unicode String Handling Cross-Site Scripting Vulnerability

 

Ruby on Rails is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which address this issue have been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/36278

 

2) IBM Lotus Domino Web Access Cross-Site Scripting Vulnerability

IBM Lotus Domino Web Access (iNotes) is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which address this issue have been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/36292

 

3) Mozilla Bugzilla Multiple Remote Vulnerabilities

 

Bugzilla is susceptible to several remote vulnerabilities including multiple instances of SQL Injection and a password disclosure vulnerability. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. The information disclosure vulnerability can be leveraged to steal user passwords. Fixes which address these issues have been released. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/36373 (‘Bug.create()’ WebService Function SQL Injection Vulnerability)
http://www.securityfocus.com/bid/36372 (URL Password Information Disclosure Vulnerability)
http://www.securityfocus.com/bid/36371(‘Bug.search()’ WebService Function SQL Injection Vulnerability)

 

4) IBM Lotus Notes RSS Reader Widget HTML Injection Vulnerability

 

IBM Lotus Notes is susceptible to an HTML Injection vulnerability. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. This issue has reportedly been resolved in a hotfix. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/36305

 

5) DotNetNuke Multiple Cross-Site Scripting Vulnerabilities

 

DotNetNuke is susceptible to multiple Cross-Site Scripting vulnerabilities. These vulnerabilities can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials.   Updates which resolve these issues are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/36274

 


 

How to clean up a hacked WordPress installation

Older installations of WordPress have recently experienced a new wave of attacks as they have been increasingly targeted by hackers. These installations are highly susceptible to a variety of attacks. What to do, then, when your installation has been comprimised? Here's a good list from WordPress of the steps to take when your WordPress installation has suffered a successful attack.


http://codex.wordpress.org/FAQ_My_site_was_hacked


The HP Web Security Research Group's own Matt Wood recently wrote some excellent advice for a hacked site, as well. Each of these lists will help you secure your WordPress installations.


http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/08/19/advice-for-a-hacked-site.aspx

Labels: hacked| Wordpress

24 Hour Live Hacking Challenge

Join us at the HP Application Security virtual booth for a 24 hour live web hacking challenge where you will have a chance to advance through more than 10 levels of increasing difficulty.  Participants attempt to break the login protection mechanisms at each level and gain experience in conducting attacks as a hacker would. Learn how simple techniques can compromise web applications. All of the security defects in the application are based on real world mistakes web developers make. 

 

Register to attend at http://hpappsshow.virtualeventscentral.com/uc/registration-short-form.php.

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.