User: Password:
Subscribe / Log in / New account


The risks of disclosing web vulnerabilities

May 3, 2006

This article was contributed by Jake Edge.

One would think that an organization would be grateful to someone who found a vulnerability in their web application and provided them with the information needed to fix it. A recent episode where a security researcher has been charged with breaching the security of an online database makes it clear that this gratitude cannot be counted upon, however. Eric McCarty found a flaw in the University of Southern California (USC) online application system that would allow a SQL injection attack to extract the contents of a database which included some 275,000 records of both current students and applicants.

According to the original SecurityFocus article, the researcher discovered the flaw when using the system to apply to USC. The username and password text fields could be used to feed SQL commands to the database, allowing the entire contents to be read and/or modified. He then anonymously contacted SecurityFocus to disclose the flaw. Other than corresponding with SecurityFocus anonymously, McCarty did little, if anything, to cover his tracks; believing he was acting in good faith.

SecurityFocus contacted USC; the administrators of the web site claimed that only two records could be accessed via the SQL injection. When confronted with additional records, they admitted that the entire database was vulnerable and shut down the site for ten days in order to fix it. In addition, the administrators found the entries in the logfiles corresponding to the 'attack' and provided the IP address to law enforcement.

The IP address allowed the FBI to determine his identity and to execute a search warrant against him and his Gmail accounts. On his computer they evidently found seven records from the USC database and his Gmail account provided copies of the emails that he sent to SecurityFocus describing the vulnerability. The charges do not claim that he did anything with the seven records, just that he possessed them and had gotten them via 'misuse'.

The affidavit filed in the case claims that McCarty caused $140,000 in damages by causing USC to shut down its system for 10 days. It is somewhat difficult to see how telling someone about a flaw in their system makes one responsible for the time it takes them to fix it. It would seem that the original programmers of the system would be the ones who are culpable here.

Computer misuse statutes are typically written in such a way that any access, other than what is intended by the site owner, could be considered a crime. The intent of the 'perpetrator' rarely seems to be examined and this case is reminiscent of the conviction of a British security consultant last year. Daniel Cuthbert was concerned that he had been phished at a tsunami relief website and he did two simple tests to see if the site was for real. These tests set off alarms in an Intrusion Detection System and ultimately led to his conviction. In addition, his arrest caused him to lose his job as a security consultant.

It is very difficult to see how these kinds of prosecutions will lead to a safer internet and, in fact, would seem likely to cause just the opposite. Even checking for the existence of a flaw is criminal (at least in some jurisdictions) and actually finding a flaw and disclosing it (not in a public way, but privately to the affected organization) can lead to charges in other jurisdictions. Anyone who thinks they may have spotted a potential problem area in a web application would be risking a great deal by probing it further. In addition, administrators of these sites are unlikely to even look at a flaw unless one can show them an exploit. Even then, as the first USC response shows, they may be unwilling or unable to see the implications of the flaw. The sad fact is that the best response to the discovery of a web site vulnerability may be to keep it to one's self.

[Editor's note: anybody who informs LWN of a vulnerability in the code will, assuming they have not exploited that vulnerability for their own gain, be thanked, publicly if desired.]

Comments (13 posted)

Brief items

A new X.Org security hole

There is a vulnerability in the X.Org server; it is a buffer overflow which can enable local root access by way of an X client. If you allow access to your X server from the net as a whole, this could be a remote root vulnerability - but, presumably, nobody has done that for years. As of this writing, updates are available from Gentoo, Mandriva, and SUSE; see the LWN vulnerability entry for the current list.

Note that this is not the vulnerability so loudly proclaimed recently by Coverity. That is an older bug which LWN readers knew about last March.

Comments (2 posted)

Firefox released

Firefox is out with a fix for a JavaScript-related denial of service vulnerability. Distributor updates are beginning to arrive, or see the download page to get a copy from the source.

Comments (none posted)

New vulnerabilities

asterisk: several vulnerabilities

Package(s):asterisk CVE #(s):CVE-2005-3559 CVE-2006-1827
Created:May 1, 2006 Updated:May 3, 2006
Description: Several problems have been discovered in Asterisk, an open source private branch exchange (telephone control center).
  • Adam Pointon discovered that due to missing input sanitizing it is possible to retrieve recorded phone messages for a different extension. (CVE-2005-3559)
  • Emmanouel Kellinis discovered an integer signedness error that could trigger a buffer overflow and hence allow the execution of arbitrary code. (CVE-2006-1827)
Debian DSA-1048-1 asterisk 2006-05-01

Comments (none posted)

clamav: buffer overflow

Package(s):clamav CVE #(s):CVE-2006-1989
Created:May 2, 2006 Updated:May 3, 2006
Description: A buffer overflow in the get_database function in the HTTP client in Freshclam in ClamAV 0.80 to 0.88.1 might allow remote web servers sites to execute arbitrary code via long HTTP headers.
Gentoo 200605-03 clamav 2006-05-02
Debian DSA-1050-1 clamav 2006-05-02
Mandriva MDKSA-2006:080 clamav 2006-05-01

Comments (none posted)

libtiff: denial of service

Package(s):libtiff CVE #(s):CVE-2006-2024
Created:April 28, 2006 Updated:May 31, 2006
Description: Multiple vulnerabilities in libtiff before 3.8.1 allow context-dependent attackers to cause a denial of service via a TIFF image that triggers errors in (1) the TIFFFetchAnyArray function in (a) tif_dirread.c; (2) certain "codec cleanup methods" in (b) tif_lzw.c, (c) tif_pixarlog.c, and (d) tif_zip.c; (3) and improper restoration of setfield and getfield methods in cleanup functions within (e) tif_jpeg.c, tif_pixarlog.c, (f) tif_fax3.c, and tif_zip.c.
Gentoo 200605-17 libtiff 2006-05-30
Red Hat RHSA-2006:0425-01 libtiff 2006-05-09
Debian DSA-1054-1 tiff 2006-05-09
Mandriva MDKSA-2006:082 libtiff 2006-05-03
Ubuntu USN-277-1 libtiff4 2006-05-03
SuSE SUSE-SR:2006:009 phpmyadmin, asterisk, libtiff, beagle, horde, dia, openvpn 2006-04-28
Fedora FEDORA-2006-474 libtiff 2006-04-27
Fedora FEDORA-2006-473 libtiff 2006-04-27

Comments (none posted)

nessus: denial of service

Package(s):nessus CVE #(s):CVE-2006-2093
Created:May 3, 2006 Updated:May 3, 2006
Description: An error in the nasl_split() function can cause the Nessus scanner to crash.
Ubuntu USN-279-1 libnasl 2006-05-03

Comments (none posted)

phpWebSite: input validation

Package(s):phpwebsite CVE #(s):CVE-2006-1819
Created:May 3, 2006 Updated:May 3, 2006
Description: Versions of phpWebSite prior to 0.10.2 have an input validation vulnerability which can enable the inclusion of (and execution of arbitrary code from) local files.
Gentoo 200605-04 phpwebsite 2006-05-02

Comments (none posted)

resmgr: bypass access control rules

Package(s):resmgr CVE #(s):
Created:May 1, 2006 Updated:May 3, 2006
Description: A problem has been discovered in resmgr, a resource manager library daemon and PAM module, that allows local users to bypass access control rules and open any USB device when access to one device was granted.
Debian DSA-1047-1 resmgr 2006-04-30

Comments (none posted)

xine-lib: buffer overflow

Package(s):xine-lib CVE #(s):CVE-2006-1664
Created:April 27, 2006 Updated:February 27, 2008
Description: xine-lib does an improper input data boundary check on MPEG streams. A specially crafted MPEG file can be created that can cause arbitrary code execution when the file is accessed.
Gentoo 200802-12 xine-lib 2008-02-26
Gentoo 200604-16 xine-lib 2006-04-26

Comments (none posted)

xine-ui: format string vulnerabilities

Package(s):xine-ui CVE #(s):CVE-2006-1905
Created:April 27, 2006 Updated:May 11, 2006
Description: xine-ui has multiple format string vulnerabilities. Remote attackers can maliciously create a playlist file and execute arbitrary code with the privileges of the user who is running xine.
Mandriva MDKSA-2006:085 xine-ui 2006-05-10
Gentoo 200604-15 xine-ui 2006-04-26

Comments (none posted)

X.Org: buffer overflow

Package(s):xorg-x11-server xorg-x11 CVE #(s):CVE-2006-1526
Created:May 3, 2006 Updated:January 10, 2007
Description: There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information.
Fedora-Legacy FLSA:190777 2006-06-06
Trustix TSLSA-2006-0024 clamav, cyrus-sasl, kernel, libtiff, rsync, xorg-x11 2006-05-05
Mandriva MDKSA-2006:081-1 xorg-x11 2006-05-04
Ubuntu USN-280-1 xorg 2006-05-04
Slackware SSA:2006-123-01 x11 2006-05-04
Red Hat RHSA-2006:0451-01 2006-05-04
SuSE SUSE-SA:2006:023 xorg-x11-server 2006-05-03
Mandriva MDKSA-2006:081 xorg-x11 2006-05-02
Gentoo 200605-02 xorg-x11 2006-05-02

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds