|
|
| |
|
| |
Security
By Nathan Willis
June 27, 2012
UEFI Secure boot is expected to interfere with many users' desire
to replace Windows or dual-boot it with Linux, because Microsoft is mandating that
secure boot be enabled on Windows 8 machines at the time of sale. On
June 5, we reported on Fedora's
plans for handling the secure boot mechanism in UEFI. Ubuntu has
subsequently announced its own plans, which take a different approach.
To recap, the secure boot feature constrains the hardware only to boot
software that has been signed by a known cryptographic key. The point
is that booting only signed, trusted binaries prevents attacks through
boot-time malware that could be undetectable after the infected system
is up and running. Microsoft is requiring hardware vendors to have secure
boot enabled if they want to include the official logo for
the upcoming Windows 8, although x86 vendors are also required to
allow the machine's owner to turn off secure boot entirely
or to install new keys. That option is regarded as insufficient for
several reasons, notably that there may be users who are required
(e.g., by office rules) to keep secure boot switched on, and that
entering new keys for every alternative OS is likely to be an arduous
process (even more so for the scenario where one needs to boot a
temporary OS, such as from a CD or USB key).
Fedora's strategy is to enroll in Microsoft's developer program, which
allows the project to purchase an approved $99 key through Verisign,
a key which will be recognized by UEFI secure boot. The key will be
used to sign the shim
bootloader, which is a "trivial UEFI first-stage bootloader" whose
only job is to boot GRUB2. Fedora will also sign the GRUB2 bootloader
and the kernel, although the latter two binaries can be signed with
the Fedora project's own keys.
Ubuntu's plan
Canonical posted
a brief announcement about its own secure boot plan on the company
blog on June 22, although the details were to be found in Steve
Langasek's message
to the ubuntu-devel mailing list. Canonical has generated its own
signing key which will be pre-loaded on machines that ship with
Ubuntu already installed. Ubuntu CDs will ship with a shim bootloader
(the same shim bootloader used by Fedora) signed by one of the existing
Microsoft-certified keys, much like the Fedora plan.
After that point, however, the distribution is taking a markedly
different approach to the trusted bootloader chain. An Ubuntu system
will boot into the efilinux bootloader,
which will in turn boot an unsigned kernel image. Under Fedora's plan, the shim bootloader verifies the integrity of GRUB2 before loading it, and GRUB2 in turn verifies the integrity of the kernel. Canonical
says that their reading of the specification makes it clear that their
secure boot responsibilities stop at the bootloader, and do not extend to
the kernel:
We believe that the intention of secure boot is to protect against
malicious use or modification of pre-boot code, before the
ExitBootServices UEFI service is invoked. Currently, this call is
performed by the boot loader, before the kernel is executed.
Therefore, we will only be requiring authentication of boot loader
binaries. Ubuntu will not require signed kernel images or kernel
modules.
The decision to use efilinux has its own justification. Because GRUB2
is licensed under the GPLv3, Canonical determined that machines with
Ubuntu pre-installed are subject to the "User Product" provisions of
GPLv3, which requires
that the distributor provide the user with all authorization keys
required to install the software. The company consulted with the FSF
about that topic, and were warned that the authorization key clause
would probably (although not definitely...) apply. Thus, if a hardware vendor shipped an Ubuntu system and did not include a way for users to install keys of their own, Canonical would be compelled to disclose its key. Revealing the signing key would undermine the point
of secure boot and "at that point our certificates would of course
be revoked and everyone would end up worse off."
Signatures, revocation, and other fine print
Ubuntu's decision to use its own key for pre-installed machines has
spawned relatively little debate, but there is a sharp disagreement
over the decision not to sign kernel images. Red Hat's Matthew
Garrett (who authored the Fedora secure boot plan) argued
that signing only the bootloader is insufficient:
How are you going to prevent your bootloader from being used to launch a
trojaned Fedora kernel, for instance? This is the kind of decision that
doesn't just affect Ubuntu, it has ramifications for the security model
that other distributions use. This makes it impossible to implement any
kind of signed userspace unless the user explicitly revokes the Ubuntu
bootloader first or uses their own trust chain.
Jamie Strandboge replied
that "the UEFI specification and the Windows 8 logo requirements
is that Secure Boot is designed to protect early boot only,"
and that signing the kernel and large portions of userspace is
unattractive for several reasons, "not least of which is that it
reduces the utility of the distribution."
Strandboge also contended that signing the kernel does not offer a
significant level of protection over signing the bootloader, because
the existence of any exploitable bootloader undermines the
trust chain for all OS vendors. The argument goes that if
DistroX's signed bootloader is vulnerable, malware authors could use
it to create a malicious live CD image that will boot even on a
machine that normally runs DistroY's secure bootloader with its signed
kernel. Thus, signing the kernel image is useful for creating a
trusted environment for user space, but it does not strengthen the
protection of secure boot itself.
There is also the open question of how key-revocations and other
updates to the secure boot world will work in practice. Both Fedora
and Ubuntu plan to make use of a "shim" bootloader so that they can
issue updates to the main bootloader without getting the updates
signed by Microsoft. But the distributions will also need to issue
revocations for vulnerable, signed bootloader and/or kernel images, and
the process by which the OS vendor pushes those updates out has yet to
be determined.
Although most multi-boot discussions revolve around dual-booting
Windows and a single Linux distribution, that is hardly the only
scenario. Canonical said that it will not offer its own signing key to
sign the bootloaders of other distributions or vendors, which some
feared would make it impossible to install, for example, Fedora on a
machine that comes with Ubuntu pre-installed. However, the owners
of machines pre-loaded with Ubuntu will still be able to install
Fedora or other OSes in tandem, because the company will require its
OEMs to include the Microsoft key in the secure boot key database
alongside the Ubuntu key.
As Windows 8 draws near, the questions about UEFI secure boot and
its impact on users continue to swirl. Clearly there are risks in
handing the ultimate say in booting one's machine to a third party
(particularly a rival OS vendor like Microsoft), and even though two of the largest
distributions have crafted a plan for dealing with secure boot's
restrictions, how much of an imposition the final product is still
hinges on unknowns like the revocation and update process. But the
biggest question that remains is whether it is wise to tacitly endorse secure
boot by playing its games in first place. On that, the community may
never arrive at a single answer.
Comments (26 posted)
Brief items
If Microsoft's "reputation" database can't tell the difference between a
gambling site and an independently audited registered nonprofit
public-interest charity founded almost 30 years ago, it is certainly doing
you and your business more harm than good.
-- The
Free Software Foundation is unimpressed at being tagged as a gambling site
Amazingly, Accenture, which sold its crap-on-a-stick high-school sophomoric completely insecure malfunctioning voter registration software to a bunch of states, so unsuccessfully that Colorado refused to pay and others, like Wisconsin and Shelby County, bought out the source code in order to try to bandaid it into a functional system, has decided to issue a DMCA protective order against Black Box Voting for exposing its flawed software.
Last time a voting system company did a DMCA takedown notice (Diebold, in 2004) it got socked with punitive charges for abusing the Digital Millennium Copyright Act, trying to use it to block distribution of material clearly published in the public interest.
-- Bev
Harris gets a DMCA takedown request (the entire thread
is interesting)
The firm gathers publicly available voter files from all 50 states and supplements this with records of political donations and other profiles purchased from commercial data brokers, says CEO Jeff Dittus. Then, working with about 100 high-traffic websites that register their users, they can match the offline data to the online identities of individuals.
Few Web surfers realize how widely data about them gets bought, sold, and
combined. But the practice is common. In a recent investigation, ProPublica
revealed that Microsoft and Yahoo each offer political campaigns the ability to target voters in similar ways.
-- Jessica
Leber in Technology Review
Comments (1 posted)
Steve Langasek has posted a set of details on how Ubuntu's UEFI secure boot
mechanism will work. There are some real differences from the approach
taken by Fedora. " Microsoft's Windows 8 logo requirements do say that there must be a way
for users to disable secure boot or to install their own keys, and we
strongly support this in our own firmware guidelines; but in the event
that a manufacturer makes a mistake and delivers a locked-down system
with a GRUB 2 image signed by the Ubuntu key, we have not been able to
find legal guidance that we wouldn't then be required by the terms of
the GPLv3 to disclose our private key in order that users can install a
modified boot loader. At that point our certificates would of course be
revoked and everyone would end up worse off."
Full Story (comments: 112)
The H discusses a new demonstration application published by a German security researcher capable of reading credit card information over NFC. " Contactless credit card systems have been hacked in the past and while the problems with the technology are worrisome, access via NFC is not a viable way to harvest a great amount of credit card data for obvious reasons. The relatively easy availability of smartphone applications like paycardreader will most likely make them attractive for opportunist fraudsters, however."
Comments (12 posted)
New vulnerabilities
apache: privilege escalation
| Package(s): | apache |
CVE #(s): | CVE-2012-0883
|
| Created: | June 25, 2012 |
Updated: | February 12, 2013 |
| Description: |
From the CVE entry:
envvars (aka envvars-std) in the Apache HTTP Server before 2.4.2 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse DSO in the current working directory during execution of apachectl. |
| Alerts: |
|
Comments (2 posted)
asterisk: denial of service
| Package(s): | asterisk |
CVE #(s): | CVE-2012-3553
|
| Created: | June 26, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the Red Hat bugzilla:
AST-2012-008 previously dealt with a denial of service attack exploitable in the Skinny channel driver that occurred when certain messages are sent after a previously registered station sends an Off Hook message. Unresolved in that patch is an issue in the Asterisk 10 releases, wherein, if a Station Key Pad Button Message is processed after an Off Hook message, the channel driver will inappropriately dereference a Null pointer.
Similar to AST-2012-008, a remote attacker with a valid SCCP ID can can use this vulnerability by closing a connection to the Asterisk server when a station is in the "Off Hook" call state and crash the server.
This only affects version 10, and is fixed in 10.5.1. |
| Alerts: |
|
Comments (none posted)
dhcpcd: remote code execution
| Package(s): | dhcpcd |
CVE #(s): | CVE-2012-2152
|
| Created: | June 25, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the Debian advisory:
It was discovered that dhcpcd, a DHCP client, was vulnerable to a stack
overflow. A malformed DHCP message could crash the client, causing a denial of
service, and potentially remote code execution through properly designed
malicious DHCP packets. |
| Alerts: |
|
Comments (none posted)
gdk-pixbuf: integer overflow
| Package(s): | gdk-pixbuf |
CVE #(s): | CVE-2012-2370
|
| Created: | June 25, 2012 |
Updated: | January 17, 2013 |
| Description: |
From the Gentoo advisory:
The "read_bitmap_file_data()" function in io-xbm.c contains an
integer overflow error |
| Alerts: |
|
Comments (none posted)
ImageMagick: integer overflow
| Package(s): | ImageMagick |
CVE #(s): | CVE-2012-1620
|
| Created: | June 22, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the Red Hat Bugzilla entry:
An out-of heap-based buffer read flaw was found in the way ImageMagick, an image display and manipulation tool for the X Window System, retrieved Exchangeable image file format (Exif) header tag information from certain JPEG files. A remote attacker could provide a JPEG image file, with EXIF header containing specially-crafted tag values, which once opened in some ImageMagick tool would lead to the crash of that tool (denial of service).
|
| Alerts: |
|
Comments (none posted)
kernel: NX emulation suspected broken
| Package(s): | kernel |
CVE #(s): | |
| Created: | June 25, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the Fedora advisory:
Disabled 32bit NX emulation. Suspected of being broken and it deviates
from upstream.
|
| Alerts: |
|
Comments (none posted)
kernel: denial of service and iptables bypass
Comments (none posted)
libpng: multiple vulnerabilities
| Package(s): | libpng |
CVE #(s): | CVE-2009-5063
CVE-2011-3464
|
| Created: | June 22, 2012 |
Updated: | October 22, 2012 |
| Description: |
From the Gentoo advisory:
Multiple vulnerabilities have been discovered in libpng:
* The "embedded_profile_len()" function in pngwutil.c does not check
for negative values, resulting in a memory leak (CVE-2009-5063).
* The "png_formatted_warning()" function in pngerror.c contains an
off-by-one error (CVE-2011-3464).
|
| Alerts: |
|
Comments (none posted)
libwpd: code execution
| Package(s): | libwpd |
CVE #(s): | CVE-2012-2149
|
| Created: | June 27, 2012 |
Updated: | July 6, 2012 |
| Description: |
From the Red Hat advisory:
A buffer overflow flaw was found in the way libwpd processed certain
Corel WordPerfect Office documents (.wpd files). An attacker could provide
a specially-crafted .wpd file that, when opened in an application linked
against libwpd, such as OpenOffice.org, would cause the application to
crash or, potentially, execute arbitrary code with the privileges of the
user running the application. |
| Alerts: |
|
Comments (none posted)
links: multiple vulnerabilities
| Package(s): | links |
CVE #(s): | |
| Created: | June 26, 2012 |
Updated: | July 10, 2012 |
| Description: |
From the Gentoo advisory:
A SSL verification vulnerability and two unspecified vulnerabilities
have been discovered in Links. Please review the Secunia Advisory
referenced below for details.
An attacker might conduct man-in-the-middle attacks. The unspecified
errors could allow for out-of-bounds reads and writes. |
| Alerts: |
|
Comments (none posted)
logrotate: symlink and hard link attacks
| Package(s): | logrotate |
CVE #(s): | CVE-2011-1549
|
| Created: | June 26, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the CVE entry:
The default configuration of logrotate on Gentoo Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by directories under /var/log/ for packages. |
| Alerts: |
|
Comments (none posted)
mantis: multiple vulnerabilities
| Package(s): | mantis |
CVE #(s): | CVE-2012-1118
CVE-2012-1119
CVE-2012-1120
CVE-2012-1122
CVE-2012-1123
CVE-2012-2692
|
| Created: | June 25, 2012 |
Updated: | November 9, 2012 |
| Description: |
From the Debian advisory:
CVE-2012-1118:
Mantis installation in which the private_bug_view_threshold
configuration option has been set to an array value do not
properly enforce bug viewing restrictions.
CVE-2012-1119:
Copy/clone bug report actions fail to leave an audit trail.
CVE-2012-1120:
The delete_bug_threshold/bugnote_allow_user_edit_delete
access check can be bypassed by users who have write
access to the SOAP API.
CVE-2012-1122:
Mantis performed access checks incorrectly when moving bugs
between projects.
CVE-2012-1123:
A SOAP client sending a null password field can authenticate
as the Mantis administrator.
CVE-2012-2692:
Mantis does not check the delete_attachments_threshold
permission when a user attempts to delete an attachment from
an issue. |
| Alerts: |
|
Comments (none posted)
mediawiki: multiple vulnerabilities
| Package(s): | mediawiki |
CVE #(s): | CVE-2010-2789
CVE-2011-0537
CVE-2012-1578
CVE-2012-1579
CVE-2012-1580
CVE-2012-1581
CVE-2012-1582
|
| Created: | June 22, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the Gentoo advisory:
MediaWiki allows remote attackers to bypass authentication, to perform
imports from any wgImportSources wiki via a crafted POST request, to
conduct cross-site scripting (XSS) attacks or obtain sensitive
information, to inject arbitrary web script or HTML, to conduct
clickjacking attacks, to execute arbitrary PHP code, to inject
arbitrary web script or HTML, to bypass intended access restrictions
and to obtain sensitive information.
|
| Alerts: |
|
Comments (none posted)
mini-httpd: code execution
| Package(s): | mini-httpd |
CVE #(s): | CVE-2009-4490
|
| Created: | June 25, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the Gentoo advisory:
mini_httpd does not properly check for shell escapes when parsing HTTP
requests.
A remote attacker could send specially crafted HTTP requests, possibly
resulting in execution of arbitrary code with the privileges of the
process, or allowing for overwriting of files. |
| Alerts: |
|
Comments (none posted)
mono and mono-debugger: multiple vulnerabilities
| Package(s): | mono and mono-debugger |
CVE #(s): | CVE-2010-3332
CVE-2010-3369
CVE-2010-4225
|
| Created: | June 22, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the Gentoo advisory:
A remote attacker could execute arbitrary code, bypass general
constraints, obtain the source code for .aspx applications, obtain
other sensitive information, cause a Denial of Service, modify internal
data structures, or corrupt the internal state of the security manager.
A local attacker could entice a user into running Mono debugger in a
directory containing a specially crafted library file to execute
arbitrary code with the privileges of the user running Mono debugger.
A context-dependant attacker could bypass the authentication mechanism
provided by the XML Signature specification.
|
| Alerts: |
|
Comments (none posted)
mosh: denial of service
| Package(s): | mosh |
CVE #(s): | CVE-2012-2385
|
| Created: | June 26, 2012 |
Updated: | April 10, 2013 |
| Description: |
From the Red Hat bugzilla:
A denial of service flaw was found in the way mosh, a remote terminal application, performed processing of parameters that have been passed to the terminal in the terminal dispatcher class (previously there was no limit for the count of parameters, which were allowed to be passed to the dispatcher). A remote attacker could use this flaw to cause a denial of service (mosh server to enter long for loop when trying to process the parameters) via specially-crafted escape sequence string. |
| Alerts: |
|
Comments (none posted)
msmtp: X.509 NULL spoofing
| Package(s): | msmtp |
CVE #(s): | CVE-2009-3942
|
| Created: | June 26, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the CVE entry:
Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. |
| Alerts: |
|
Comments (none posted)
nbd: denial of service
| Package(s): | nbd |
CVE #(s): | CVE-2011-1925
|
| Created: | June 26, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the CVE entry:
nbd-server.c in Network Block Device (nbd-server) 2.9.21 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by causing a negotiation failure, as demonstrated by specifying a name for a non-existent export. |
| Alerts: |
|
Comments (none posted)
network-manager: insecure WPA AdHoc connections
| Package(s): | network-manager |
CVE #(s): | CVE-2012-2736
|
| Created: | June 27, 2012 |
Updated: | September 12, 2012 |
| Description: |
From the Ubuntu advisory:
It was discovered that certain wireless drivers incorrectly handled the
creation of WPA-secured AdHoc connections. This could result in AdHoc
wireless connections being created without any security at all. This update
removes WPA as a security choice for AdHoc connections in NetworkManager. |
| Alerts: |
|
Comments (none posted)
nvidia-drivers: privilege escalation
| Package(s): | nvidia-drivers |
CVE #(s): | CVE-2012-0946
|
| Created: | June 25, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the Gentoo advisory:
A vulnerability has been found in the way NVIDIA drivers handle
read/write access to GPU device nodes, allowing access to arbitrary
system memory locations. A local attacker could gain escalated privileges. |
| Alerts: |
|
Comments (none posted)
openjpeg: code execution
| Package(s): | openjpeg |
CVE #(s): | CVE-2012-1499
|
| Created: | June 21, 2012 |
Updated: | June 28, 2012 |
| Description: |
From the Gentoo advisory:
An error in jp2.c of OpenJPEG could allow an out-of-bounds write error.
A remote attacker could entice a user to open a specially crafted JPEG
file, possibly resulting in execution of arbitrary code or a Denial of
Service condition.
|
| Alerts: |
|
Comments (none posted)
php: information disclosure/arbitrary code execution
| Package(s): | php |
CVE #(s): | CVE-2010-2950
|
| Created: | June 27, 2012 |
Updated: | July 2, 2012 |
| Description: |
From the Red Hat advisory:
A format string flaw was found in the way the PHP phar extension processed
certain PHAR files. A remote attacker could provide a specially-crafted
PHAR file, which once processed in a PHP application using the phar
extension, could lead to information disclosure and possibly arbitrary code
execution via a crafted phar:// URI. |
| Alerts: |
|
Comments (none posted)
python-httplib2: use of incorrect certificates
| Package(s): | python-httplib2 |
CVE #(s): | |
| Created: | June 25, 2012 |
Updated: | April 10, 2013 |
| Description: |
From the openSUSE advisory:
python-httplib2 used to ship it's own copy of Mozilla NSS
certificates, but should use the system-wide ones instead. |
| Alerts: |
|
Comments (none posted)
roundcubemail: cross-site scripting
| Package(s): | roundcubemail |
CVE #(s): | CVE-2012-1253
|
| Created: | June 22, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the Red Hat Bugzilla entry:
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before
0.7, when Internet Explorer is used, allows remote attackers to inject
arbitrary web script or HTML via vectors involving an embedded image
attachment. |
| Alerts: |
|
Comments (none posted)
rpm: multiple vulnerabilities
| Package(s): | rpm |
CVE #(s): | CVE-2010-2197
CVE-2010-2199
|
| Created: | June 25, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the CVE entries:
rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag. (CVE-2010-2197).
lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059. (CVE-2010-2199). |
| Alerts: |
|
Comments (none posted)
tomcat: multiple vulnerabilities
| Package(s): | tomcat |
CVE #(s): | CVE-2010-4312
CVE-2011-1088
CVE-2011-1183
CVE-2011-1419
CVE-2011-1475
CVE-2011-1582
CVE-2011-2481
|
| Created: | June 25, 2012 |
Updated: | June 27, 2012 |
| Description: |
From the CVE entries:
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie. (CVE-2010-4312)
Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. (CVE-2011-1088)
Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419. (CVE-2011-1183)
Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088. (CVE-2011-1419)
The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users." (CVE-2011-1475)
Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419. (CVE-2011-1582)
Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression. (CVE-2011-2481) |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|