Asynchronous Javascript and XML (AJAX) is one of the latest techniques used
by web application developers to provide a user experience similar to that of
a local application. Unfortunately, AJAX also provides a number of serious
security issues that should be considered and, at least partly because the
technique is relatively new, many of the tutorials and other documentation
completely disregard the security implications. Developing secure code
rarely gets the attention it deserves and new technologies are typically
slow to develop 'best practices' and to disseminate that information
throughout their community. This can only lead to exploits in the future.
Traditional web applications are synchronous in nature, a user clicks a button
or link which sends a request to the server; the server replies with a page
of HTML and the browser displays the new page. AJAX applications do some
amount of work in the background, making requests of the server, sometimes
without explicit user input. These applications do not refresh the entire
page as they receive replies from the server; they only modify parts of the
page or their internal state which gives users a much smoother, less page
oriented experience.
One of the best known examples of an AJAX
application is Google Maps. While the
user is viewing a particular section of the map, the client requests
other sections of the map that are not yet visible and this allows the user
to seamlessly scroll the map to view off-screen sections. Auto-completion for
text fields, automatically updating form elements and form submission without
a page refresh are other common uses for AJAX in these
'Web 2.0' applications.
In order to handle the asynchronous server requests, AJAX programs use the
Javascript XmlHttpRequest (XHR) object. The name of this object is really
where the X in AJAX comes from as XML is not necessarily used in the
XHR request or response. A client sends a request to a specific URL
on the same server as the original page and can receive any kind of reply
from the server. These replies are often snippets of HTML, but can also
be XML, Javascript Object Notation (JSON), image data or anything else
that Javascript can process.
Various queries and requests that were once handled internally on the
server are now exposed as a de facto API for AJAX applications. This
drastically increases the attack surface of these programs because there
are so many additional ways to potentially inject malicious content.
Filtering user input correctly is, as always, the single most important
safeguard for a web application; this is an area that traditional web
applications have regularly failed to handle correctly. It is difficult
to see how adding additional ways to get user input into the application
is going to help this problem.
SQL injection and
Cross-site scripting (XSS)
are two attacks that can be made against an application that does not
filter user input correctly. AJAX techniques allow for additional
ways to exploit these vectors in the background, undetectable by the user.
The Myspace samy
worm
(more technical description
here)
is an example of the kinds of things that can be done. At the recent Black
Hat Briefings, there was a session describing a port sniffer written in
Javascript that could potentially discover internal network details behind
a firewall and report them to a malicious site.
The requirement that XHR objects refer only to URLs on the same server is
an excellent security choice. Unfortunately, it is probably the single
biggest complaint that web designers have about AJAX. Because they often
want to display information from various sources on the same page, the
restriction is considered to be 'too strict' and to get around it, AJAX
bridges came about.
An AJAX bridge proxies requests to other servers, returning the remote
server's response. This allows XHR objects to refer to URLs on the
server that returned the page, but still retrieve content from other
servers elsewhere in the web. Unfortunately, this can lead to various
abuses. Depending on how it is written, the bridge can provide a means
to attack the third party site via SQL injection or XSS and allow the
malicious user to hide behind a level of indirection. Various monitoring
tools could detect the attack and shut down access for the aggregating
site, effectively causing a denial of service attack. By proxying requests,
a site is implicitly trusting its users not to abuse the APIs of third
parties.
Many of these attacks are not new, nor do they require AJAX to function, but
by incorporating AJAX techniques into web applications, they are made easier.
At one time, it was considered reasonable to turn off Javascript for many
or all sites, but with the prevalence of Web 2.0 applications, this just
is not possible for most web users. Web application developers need to be
vigilant in rooting out the bugs that allow these attacks to succeed.
Lionel Elie Mamane discovered a security vulnerability in capi4hylafax,
tools for faxing over a CAPI 2.0 device, that allows remote attackers to
execute arbitrary commands on the fax receiving system.
Luigi Auriemma discovered a buffer overflow in the loading component
of cheesetracker, a sound module tracking program, which could allow a
maliciously constructed input file to execute arbitrary code.
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack.
MySQL before 4.1.13 allows local users to cause a denial of service
(persistent replication slave crash) via a query with multiupdate and
subselects. (CVE-2006-4380)
There is a bug in the MySQL-Max (and MySQL) init script where the script
was not waiting for the mysqld daemon to fully stop. This impacted the
restart behavior during updates, as well as scripted setups that
temporarily stopped the server to backup the database files.
Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google
Security discovered that the OpenSSL library did not sufficiently check the
padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3
(which is widely used for CAs). This could be exploited to forge signatures
without the need of the secret key.
The sendmail mail transfer agent has a programming error.
A remote attacker can send specially crafted email messages
with extra long header lines to sendmail.
The sendmail process will crash, leading to a denial of service.
AlsaPlayer contains three buffer overflows: in the function that handles
the HTTP connections, the GTK interface, and the CDDB querying mechanism.
An attacker could exploit the first vulnerability by enticing a user to
load a malicious URL resulting in the execution of arbitrary code with the
permissions of the user running AlsaPlayer.
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header."
The GNU assembler (gas) in binutils is vulnerable to a buffer overflow.
If a user can be tricked into assembling a specially crafted file with
gcc or gas, arbitrary code can be executed with the privileges of the user.
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time.
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor.
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system).
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target.
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate.
This CERT advisory contains details on
multiple vulnerabilities in Mozilla products, including Firefox, SeaMonkey
and Thunderbird. The most serious vulnerabilities could allow a remote
attacker to execute arbitrary code on an affected system.
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service.
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
A number of out-of-bounds index accesses have been found in gtetrinet; they could conceivably be exploited by a hostile server to execute arbitrary code.
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names.
The ImageMagick DisplayImageCommand has a heap overflow vulnerability.
If an maliciously created unexpanded glob is passed to ImageMagick,
a heap overflow can result.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued.
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
The libXm library in LessTif 0.95.0 and earlier allows local users to gain
privileges via the DEBUG_FILE environment variable, which is used to create
world-writable files when libXm is run from a setuid program.
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program.
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass.
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow.
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim.
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code.
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information.
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server.
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226).
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query.
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges.
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
A vulnerability was discovered in the sscanf function that could allow
attackers in certain circumstances to execute arbitrary code via argument
swapping which incremented an index past the end of an array and triggered
a buffer over-read.
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users.
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem.
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8).
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash.
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client.
Sendmail has a vulnerability in the way it handles multi-part MIME messages.
A remote attacker can create a specially crafted email message that can
be used to crash the sendmail process, causing a denial of service.
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called.
Ulf Harnhammer from the Debian Security Audit Project discovered that
streamripper, a utility to record online radio-streams, performs
insufficient sanitizing of data received from the streaming server,
which might lead to buffer overflows and the execution of arbitrary
code.
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs.
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c
Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input
module. By tricking an user into opening a malicious remote media
location, a remote attacker could exploit this to crash Xine library
frontends (like totem-xine, gxine, or xine-ui) and possibly even
execute arbitrary code with the user's privileges.
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed.
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service.
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine.
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information.
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin.
