By Jake Edge
July 1, 2009
Cross-site scripting (XSS) is
a common web application flaw that can lead to
a wide variety of attacks. The problem, and ways to eliminate it,
have been known for years, but new instances of XSS crop up regularly in
web applications—live sites as well as packages like content
management systems. Mozilla has taken the lead on a new security policy,
Content Security Policy
(CSP), which provides a way for sites to avoid XSS. It does that by
fundamentally changing the way JavaScript content is treated by the
browser, but does so
in a way that allows sites to opt-in to the new policy.
XSS works by injecting JavaScript content into the data returned by a web
server. Normally that happens because some kind of user input was not
properly filtered before it was echoed back on a web page. If that user
input—in the form of a comment on an article, for
example—contains unfiltered JavaScript, the users browser will
happily execute it as if it originated with the site. At that point, an
attacker-controlled code is running with the privileges of the browser user
and the origin site.
As described
by Mozilla's security program manager Brandon Sterne, on the Mozilla
Security Blog, CSP changes that model. Instead of treating all content
received in a response as having the same privilege level, CSP allows the
site owner to explicitly list what kinds of JavaScript to trust. In order
to do that, however, CSP strictly limits where JavaScript can originate,
and where it can appear in HTML.
Basically, CSP allows a site operator to list hosts from which JavaScript
content will be accepted. If that option is used (via an HTTP
X-Content-Security-Policy header or HTML
<META> tag), all JavaScript must be loaded from external
files from hosts on the list—all other mechanisms for executing
JavaScript are disabled for that page. Sterne describes it this way:
In order to differentiate legitimate content from injected or modified
content, CSP requires that all JavaScript for a page be 1) loaded from an
external file, and 2) served from an explicitly approved host. This means
that all inline script, javascript: URIs, and event-handling HTML
attributes will be ignored. Only script included via a <script> tag
pointing to a white-listed host will be treated as valid.
This will be an enormous change for sites that want to use CSP, but it is
backward-compatible with older browsers (or those that do not support CSP),
and there are ways to
incrementally approach the implementation. Sterne notes that all sites
should be able to make the switch, and Mozilla intends to provide a
migration guide to help sites convert to CSP. But, it remains to be seen
whether sites will actually use it. Mozilla security lead, Daniel Veditz,
commented
about that
in the bug entry
that tracks CSP implementation:
Funny you should mentions the onclick attribute as that one specifically
is a popular one to abuse. Whether the burden of rewriting your site to the
supported safe subset of HTML is worth it depends on how valuable the contents
of your site are.
Note that we are not eliminating event handlers, just the ability to specify
them inline. AddEventListener() will still work, as will setting the .click
property of a DOM node. This is a little cumbersome, but there are already
sites that do this for some of their content.
CSP is a gamble, it could be that the hurdle will turn out to be too high. But
if we can get authors over that hurdle we can promise them a safer site.
Another interesting feature of CSP is its ability to notify a site when
there is an attempt to violate the policy. This will even benefit users of
browsers that don't support CSP, as XSS holes can be recognized and fixed
more quickly. Sterne is optimistic about the effect of CSP:
The bottom line is that it will be extremely difficult to mount a
successful XSS attack against a site with CSP enabled. All common vectors
for script injection will no longer work and the bar for a successful
attack is placed much, much higher.
The open question is whether site operators are concerned enough about XSS
to change the way they handle JavaScript. Over time, automated tools may
help with that process, which could lower the bar somewhat, but it is still
a daunting task. One would guess that the other browsers will take a "wait
and see" attitude before deciding whether to implement it. Though the
implementation is progressing, there is no word from Mozilla on when it
might release a browser with CSP either.
Perhaps CSP is too heavy-handed of a solution to the XSS problem, but it is
good to see Mozilla taking a lead in trying to find something that will
alleviate the problem. There are other, similar efforts in the works at
Mozilla including the Origin header to
mitigate cross-site request forgery and clickjacking.
While these web application vulnerabilities are largely understood and
techniques to avoid them are known, they keep cropping up. Finding ways to
make users' browsers more resistant to these kinds of attacks can only help
improve web security.
Comments (18 posted)
New vulnerabilities
git: denial of service
| Package(s): | git |
CVE #(s): | CVE-2009-2108
|
| Created: | June 25, 2009 |
Updated: | February 1, 2010 |
| Description: |
git has a denial of service vulnerability
From the National Vulnerability Database
entry:
git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request containing extra unrecognized arguments. |
| Alerts: |
|
Comments (none posted)
html2text.php: arbitrary code execution
| Package(s): | html2text.php |
CVE #(s): | CVE-2008-5619
|
| Created: | June 25, 2009 |
Updated: | July 1, 2009 |
| Description: |
html2text.php has a arbitrary code execution vulnerability.
From the National Vulnerability Database
entry:
html2text.php in Chuggnutt HTML to Text Converter, as used in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. |
| Alerts: |
|
Comments (none posted)
kdegraphics: multiple vulnerabilities
| Package(s): | kdegraphics |
CVE #(s): | CVE-2009-0945
CVE-2009-1709
|
| Created: | June 25, 2009 |
Updated: | January 25, 2011 |
| Description: |
kdegraphics has multiple vulnerabilities.
From the Red Hat alert:
A use-after-free flaw was found in the KDE KSVG animation element
implementation. A remote attacker could create a specially-crafted SVG
image, which once opened by an unsuspecting user, could cause a denial of
service (Konqueror crash) or, potentially, execute arbitrary code with the
privileges of the user running Konqueror. (CVE-2009-1709)
A NULL pointer dereference flaw was found in the KDE, KSVG SVGList
interface implementation. A remote attacker could create a
specially-crafted SVG image, which once opened by an unsuspecting user,
would cause memory corruption, leading to a denial of service (Konqueror
crash). (CVE-2009-0945) |
| Alerts: |
|
Comments (none posted)
kdelibs: multiple vulnerabilities
| Package(s): | kdelibs |
CVE #(s): | CVE-2009-1687
CVE-2009-1690
CVE-2009-1698
|
| Created: | June 25, 2009 |
Updated: | January 25, 2011 |
| Description: |
kdelibs has multiple vulnerabilities.
From the Red Hat alert:
A flaw was found in the way the KDE CSS parser handled content for the
CSS "style" attribute. A remote attacker could create a specially-crafted
CSS equipped HTML page, which once visited by an unsuspecting user, could
cause a denial of service (Konqueror crash) or, potentially, execute
arbitrary code with the privileges of the user running Konqueror.
(CVE-2009-1698)
A flaw was found in the way the KDE HTML parser handled content for the
HTML "head" element. A remote attacker could create a specially-crafted
HTML page, which once visited by an unsuspecting user, could cause a denial
of service (Konqueror crash) or, potentially, execute arbitrary code with
the privileges of the user running Konqueror. (CVE-2009-1690)
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the KDE JavaScript garbage collector handled memory
allocation requests. A remote attacker could create a specially-crafted
HTML page, which once visited by an unsuspecting user, could cause a denial
of service (Konqueror crash) or, potentially, execute arbitrary code with
the privileges of the user running Konqueror. (CVE-2009-1687) |
| Alerts: |
|
Comments (none posted)
kernel: buffer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2009-1389
|
| Created: | June 25, 2009 |
Updated: | September 23, 2010 |
| Description: |
The kernel has a buffer overflow vulnerability.
From the National Vulnerability Database
entry:
Buffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the Linux kernel before 2.6.30 allows remote attackers to cause a denial of service (kernel memory corruption and crash) via a long packet. |
| Alerts: |
|
Comments (none posted)
moodle: arbitrary SQL execution
| Package(s): | moodle |
CVE #(s): | CVE-2008-6124
|
| Created: | June 25, 2009 |
Updated: | July 1, 2009 |
| Description: |
moodle has an arbitrary SQL execution vulnerability.
From the National Vulnerability Database
entry:
SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 allows remote attackers to execute arbitrary SQL commands via a crafted selected attempt. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service
| Package(s): | net-snmp |
CVE #(s): | CVE-2009-1887
|
| Created: | June 25, 2009 |
Updated: | July 20, 2009 |
| Description: |
net-snmp has a denial of service vulnerability.
From the Red Hat alert:
A divide-by-zero flaw was discovered in the snmpd daemon. A remote attacker
could issue a specially-crafted GETBULK request that could crash the snmpd
daemon. (CVE-2009-1887)
Note: An attacker must have read access to the SNMP server in order to
exploit this flaw. |
| Alerts: |
|
Comments (none posted)
openssl: multiple vulnerabilities
| Package(s): | openssl |
CVE #(s): | CVE-2009-1379
CVE-2009-1386
CVE-2009-1387
|
| Created: | June 26, 2009 |
Updated: | March 2, 2010 |
| Description: |
From the Ubuntu advisory:
It was discovered that OpenSSL did not properly handle certain server
certificates when processing DTLS packets. A remote DTLS server could cause
a denial of service by sending a message containing a specially crafted
server certificate. (CVE-2009-1379)
It was discovered that OpenSSL did not properly handle a DTLS
ChangeCipherSpec packet when it occured before ClientHello. A remote
attacker could cause a denial of service by sending a specially crafted
request. (CVE-2009-1386)
It was discovered that OpenSSL did not properly handle out of sequence
DTLS handshake messages. A remote attacker could cause a denial of service
by sending a specially crafted request. (CVE-2009-1387)
|
| Alerts: |
|
Comments (none posted)
pam_krb5: information disclosure
| Package(s): | pam_krb5 |
CVE #(s): | CVE-2009-1384
|
| Created: | June 29, 2009 |
Updated: | March 31, 2010 |
| Description: |
From the Red Hat bugzilla entry:
A security flaw was found in PAM pam_krb5 module, providing user authentication
based on Kerberos principals. A remote attacker could use this flaw to
recognize, if some username/login belongs to set of user accounts,
existing on the system, and subsequently perform dictionary based password
guess attack. |
| Alerts: |
|
Comments (none posted)
php: crash with corrupted JPEG file
| Package(s): | php |
CVE #(s): | |
| Created: | June 29, 2009 |
Updated: | July 1, 2009 |
| Description: |
From the PHP bug report:
There seems to be a problem in exif_read_data(), where some fields
representing offsets(?) are taken directly from the file without being
validated, resulting in a segmentation fault.
|
| Alerts: |
|
Comments (none posted)
rt3: privilege escalation
| Package(s): | rt3 |
CVE #(s): | |
| Created: | June 25, 2009 |
Updated: | July 1, 2009 |
| Description: |
rt3 has a privilege escalation vulnerability.
From the Fedora alert:
Bug #506885 - rt3: privilege to edit 'RT at a Glance' unintentionally granted by "ShowConfigTab" right. |
| Alerts: |
|
Comments (none posted)
samba: several vulnerabilities
| Package(s): | samba |
CVE #(s): | CVE-2009-1886
CVE-2009-1888
|
| Created: | June 26, 2009 |
Updated: | December 7, 2009 |
| Description: |
From the Debian advisory: Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server. The Common Vulnerabilities and Exposures project identifies the following problems:
The smbclient utility contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. CVE-2009-1886
In the smbd daemon, if a user is trying to modify an access control list (ACL) and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to "yes" in the smb.conf and the user already has write access to the file. CVE-2009-1888
|
| Alerts: |
|
Comments (none posted)
seamonkey: multiple vulnerabilities
| Package(s): | seamonkey |
CVE #(s): | |
| Created: | June 25, 2009 |
Updated: | September 8, 2009 |
| Description: |
seamonkey has multiple vulnerabilities.
From the
Mozilla advisory:
MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme |
| Alerts: |
|
Comments (none posted)
smarty: PHP code injection
| Package(s): | smarty |
CVE #(s): | CVE-2008-4810
|
| Created: | June 25, 2009 |
Updated: | August 18, 2010 |
| Description: |
Smarty has a PHP code injection vulnerability.
From the National Vulnerability Database
entry:
The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka "php executed in templates;" and (2) a double quoted literal string, aka a "function injection security hole." NOTE: each vector affects slightly different SVN revisions. |
| Alerts: |
|
Comments (none posted)
thunderbird: arbitrary code execution
| Package(s): | mozilla-thunderbird |
CVE #(s): | CVE-2009-2210
|
| Created: | June 29, 2009 |
Updated: | July 16, 2009 |
| Description: |
From the CVE entry:
Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a multipart/alternative e-mail message containing a text/enhanced part that triggers access to an incorrect object type. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
