Security
The Application Security Desk Reference
The Open Web Application Security Project (OWASP) has undertaken an ambitious project to create a reference manual—in the same vein as the Physician's Desk Reference—covering application security. The book, along with a companion wiki are meant to be the starting point for researchers, developers, and code reviewers when performing a number of security-related tasks. The book is currently in an alpha state, with OWASP looking for more reviewers and authors to get the book into a finished state by August.
The Application Security Desk Reference (ASDR) will be a 900+ page book, extensively tagged—cross-referenced in the wiki—to provide a multi-dimensional view of security threats, attacks, vulnerabilities, and impacts. The book introduces a set of principles that will help guide developers in avoiding these problems along with controls (aka countermeasures) to evade or eliminate them. The authors provide a description of why they took this approach:
The PDF 0.9 version is available, and it is already quite useful, though there is still a fair amount of work to do. An important goal is to provide a foundation:
Technical books have a unfortunate tendency to rapidly go stale because the industry moves so quickly. Maintaining the wiki will help alleviate this problem by allowing for a dynamic reference that can be periodically produced in dead tree form as well. Much of this kind of information can be found in books and on the web, but collecting it up into one place is very valuable.
Three sections of the current draft stand out as being closest to completion: Principles, Attacks, and Vulnerabilities. Principles contains 17 basic things to keep in mind as part of gaining a "security consciousness". It defines terms in clear language and provides reasons why the principle should be followed. An example:
More than 50 attacks are listed, along with examples and concise descriptions. In addition, there are several hundred vulnerabilities listed, each with examples as well as information on which platforms or languages are affected. It clearly sets out to be a clearinghouse of application security information and looks like it is succeeding in that.
For anyone with an interest in security, it is well worth a look. For those who are skilled in security techniques, assisting with the review and content creation might be in order.
Brief items
SSL Certificates Vulnerable to OpenSSL Flaw on Debian (Netcraft)
Netcraft has discovered a "significant number" of bad SSL certificates due to the recent Debian OpenSSL flaw. Some Extended Validation (EV) certificates are among those they found that were generated with the vulnerable code. "The vulnerable certificates afford opportunities to create deceptive sites which use apparently valid SSL certificates, giving the user the impression that the site belongs to the certified organisation. In the case of EV certificates, browsers will also turn the address bar green, even though the certificate may be cloned."
New vulnerabilities
cbrpager: execution of arbitrary code
| Package(s): | cbrpager | CVE #(s): | CVE-2008-2575 | ||||
| Created: | June 17, 2008 | Updated: | June 18, 2008 | ||||
| Description: | From the Gentoo advisory: Mamoru Tasaka discovered that filenames of the image archives are not properly sanitized before being passed to decompression utilities like unrar and unzip, which use the system() libc library call. | ||||||
| Alerts: |
| ||||||
freetype: multiple vulnerabilities
| Package(s): | freetype | CVE #(s): | CVE-2008-1806 CVE-2008-1807 CVE-2008-1808 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 18, 2008 | Updated: | May 22, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The freetype library suffers from integer overflow (CVE-2008-1806), multiple free (CVE-2008-1807), and heap overflow (CVE-2008-1808) vulnerabilities, all of which could potentially be exploited remotely. Version 2.3.6 contains the fixes. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
openoffice.org: arbitrary code execution
| Package(s): | openoffice.org | CVE #(s): | CVE-2008-2366 | ||||
| Created: | June 16, 2008 | Updated: | June 18, 2008 | ||||
| Description: | From the Red Hat advisory: It was discovered that certain libraries in the Red Hat Enterprise Linux 3 and 4 openoffice.org packages had an insecure relative RPATH (runtime library search path) set in the ELF (Executable and Linking Format) header. A local user able to convince another user to run OpenOffice in an attacker-controlled directory, could run arbitrary code with the privileges of the victim. (CVE-2008-2366) | ||||||
| Alerts: |
| ||||||
roundcubemail: cross-site scripting
| Package(s): | roundcubemail | CVE #(s): | CVE-2007-6321 | ||||||||||||
| Created: | June 16, 2008 | Updated: | June 18, 2008 | ||||||||||||
| Description: | From the Red Hat bugzilla: Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via style sheets containing expression commands. | ||||||||||||||
| Alerts: |
| ||||||||||||||
typo3: several vulnerabilities
| Package(s): | typo3 | CVE #(s): | |||||
| Created: | June 13, 2008 | Updated: | June 18, 2008 | ||||
| Description: | From the Debian advisory: Several remote vulnerabilities have been
discovered in the TYPO3 content management framework.
Because of a not sufficiently secure default value of the TYPO3 configuration variable fileDenyPattern, authenticated backend users could upload files that allowed to execute arbitrary code as the webserver user. User input processed by fe_adminlib.inc is not being properly filtered to prevent Cross Site Scripting (XSS) attacks, which is exposed when specific plugins are in use. | ||||||
| Alerts: |
| ||||||
xorg-server: multiple vulnerabilities
| Package(s): | xorg-server | CVE #(s): | CVE-2008-1377 CVE-2008-1379 CVE-2008-2360 CVE-2008-2361 CVE-2008-2362 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 12, 2008 | Updated: | September 26, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian alert:
CVE-2008-1377 Lack of validation of the parameters of the SProcSecurityGenerateAuthorization SProcRecordCreateContext functions makes it possible for a specially crafted request to trigger the swapping of bytes outside the parameter of these requests, causing memory corruption. CVE-2008-1379 An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space. CVE-2008-2360 An integer overflow may occur in the computation of the size of the glyph to be allocated by the AllocateGlyph() function which will cause less memory to be allocated than expected, leading to later heap overflow. CVE-2008-2361 An integer overflow may occur in the computation of the size of the glyph to be allocated by the ProcRenderCreateCursor() function which will cause less memory to be allocated than expected, leading later to dereferencing un-mapped memory, causing a crash of the X server. CVE-2008-2362 Integer overflows can also occur in the code validating the parameters for the SProcRenderCreateLinearGradient, SProcRenderCreateRadialGradient and SProcRenderCreateConicalGradient functions, leading to memory corruption by swapping bytes outside of the intended request parameters. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>