Security
Mozilla's Content Security Policy
Cross-site scripting (XSS) is a common web application flaw that can lead to a wide variety of attacks. The problem, and ways to eliminate it, have been known for years, but new instances of XSS crop up regularly in web applications—live sites as well as packages like content management systems. Mozilla has taken the lead on a new security policy, Content Security Policy (CSP), which provides a way for sites to avoid XSS. It does that by fundamentally changing the way JavaScript content is treated by the browser, but does so in a way that allows sites to opt-in to the new policy.
XSS works by injecting JavaScript content into the data returned by a web server. Normally that happens because some kind of user input was not properly filtered before it was echoed back on a web page. If that user input—in the form of a comment on an article, for example—contains unfiltered JavaScript, the users browser will happily execute it as if it originated with the site. At that point, an attacker-controlled code is running with the privileges of the browser user and the origin site.
As described by Mozilla's security program manager Brandon Sterne, on the Mozilla Security Blog, CSP changes that model. Instead of treating all content received in a response as having the same privilege level, CSP allows the site owner to explicitly list what kinds of JavaScript to trust. In order to do that, however, CSP strictly limits where JavaScript can originate, and where it can appear in HTML.
Basically, CSP allows a site operator to list hosts from which JavaScript content will be accepted. If that option is used (via an HTTP X-Content-Security-Policy header or HTML <META> tag), all JavaScript must be loaded from external files from hosts on the list—all other mechanisms for executing JavaScript are disabled for that page. Sterne describes it this way:
This will be an enormous change for sites that want to use CSP, but it is backward-compatible with older browsers (or those that do not support CSP), and there are ways to incrementally approach the implementation. Sterne notes that all sites should be able to make the switch, and Mozilla intends to provide a migration guide to help sites convert to CSP. But, it remains to be seen whether sites will actually use it. Mozilla security lead, Daniel Veditz, commented about that in the bug entry that tracks CSP implementation:
Note that we are not eliminating event handlers, just the ability to specify them inline. AddEventListener() will still work, as will setting the .click property of a DOM node. This is a little cumbersome, but there are already sites that do this for some of their content.
CSP is a gamble, it could be that the hurdle will turn out to be too high. But if we can get authors over that hurdle we can promise them a safer site.
Another interesting feature of CSP is its ability to notify a site when there is an attempt to violate the policy. This will even benefit users of browsers that don't support CSP, as XSS holes can be recognized and fixed more quickly. Sterne is optimistic about the effect of CSP:
The open question is whether site operators are concerned enough about XSS to change the way they handle JavaScript. Over time, automated tools may help with that process, which could lower the bar somewhat, but it is still a daunting task. One would guess that the other browsers will take a "wait and see" attitude before deciding whether to implement it. Though the implementation is progressing, there is no word from Mozilla on when it might release a browser with CSP either.
Perhaps CSP is too heavy-handed of a solution to the XSS problem, but it is good to see Mozilla taking a lead in trying to find something that will alleviate the problem. There are other, similar efforts in the works at Mozilla including the Origin header to mitigate cross-site request forgery and clickjacking.
While these web application vulnerabilities are largely understood and techniques to avoid them are known, they keep cropping up. Finding ways to make users' browsers more resistant to these kinds of attacks can only help improve web security.
New vulnerabilities
git: denial of service
| Package(s): | git | CVE #(s): | CVE-2009-2108 | ||||||||||||||||||||||||||||||||
| Created: | June 25, 2009 | Updated: | February 1, 2010 | ||||||||||||||||||||||||||||||||
| Description: | git has a denial of service vulnerability From the National Vulnerability Database entry: git-daemon in git 1.4.4.5 through 1.6.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request containing extra unrecognized arguments. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
html2text.php: arbitrary code execution
| Package(s): | html2text.php | CVE #(s): | CVE-2008-5619 | ||||
| Created: | June 25, 2009 | Updated: | July 1, 2009 | ||||
| Description: | html2text.php has a arbitrary code execution vulnerability. From the National Vulnerability Database entry: html2text.php in Chuggnutt HTML to Text Converter, as used in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. | ||||||
| Alerts: |
| ||||||
kdegraphics: multiple vulnerabilities
| Package(s): | kdegraphics | CVE #(s): | CVE-2009-0945 CVE-2009-1709 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 25, 2009 | Updated: | January 25, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | kdegraphics has multiple vulnerabilities. From the Red Hat alert: A use-after-free flaw was found in the KDE KSVG animation element implementation. A remote attacker could create a specially-crafted SVG image, which once opened by an unsuspecting user, could cause a denial of service (Konqueror crash) or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-1709) A NULL pointer dereference flaw was found in the KDE, KSVG SVGList interface implementation. A remote attacker could create a specially-crafted SVG image, which once opened by an unsuspecting user, would cause memory corruption, leading to a denial of service (Konqueror crash). (CVE-2009-0945) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kdelibs: multiple vulnerabilities
| Package(s): | kdelibs | CVE #(s): | CVE-2009-1687 CVE-2009-1690 CVE-2009-1698 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 25, 2009 | Updated: | January 25, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | kdelibs has multiple vulnerabilities. From the Red Hat alert: A flaw was found in the way the KDE CSS parser handled content for the CSS "style" attribute. A remote attacker could create a specially-crafted CSS equipped HTML page, which once visited by an unsuspecting user, could cause a denial of service (Konqueror crash) or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-1698) A flaw was found in the way the KDE HTML parser handled content for the HTML "head" element. A remote attacker could create a specially-crafted HTML page, which once visited by an unsuspecting user, could cause a denial of service (Konqueror crash) or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-1690) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the KDE JavaScript garbage collector handled memory allocation requests. A remote attacker could create a specially-crafted HTML page, which once visited by an unsuspecting user, could cause a denial of service (Konqueror crash) or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-1687) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: buffer overflow
| Package(s): | kernel | CVE #(s): | CVE-2009-1389 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 25, 2009 | Updated: | September 23, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | The kernel has a buffer overflow vulnerability. From the National Vulnerability Database entry: Buffer overflow in the RTL8169 NIC driver (drivers/net/r8169.c) in the Linux kernel before 2.6.30 allows remote attackers to cause a denial of service (kernel memory corruption and crash) via a long packet. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
moodle: arbitrary SQL execution
| Package(s): | moodle | CVE #(s): | CVE-2008-6124 | ||||
| Created: | June 25, 2009 | Updated: | July 1, 2009 | ||||
| Description: | moodle has an arbitrary SQL execution vulnerability. From the National Vulnerability Database entry: SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 allows remote attackers to execute arbitrary SQL commands via a crafted selected attempt. | ||||||
| Alerts: |
| ||||||
net-snmp: denial of service
| Package(s): | net-snmp | CVE #(s): | CVE-2009-1887 | ||||||||||||
| Created: | June 25, 2009 | Updated: | July 20, 2009 | ||||||||||||
| Description: | net-snmp has a denial of service vulnerability. From the Red Hat alert: A divide-by-zero flaw was discovered in the snmpd daemon. A remote attacker could issue a specially-crafted GETBULK request that could crash the snmpd daemon. (CVE-2009-1887) Note: An attacker must have read access to the SNMP server in order to exploit this flaw. | ||||||||||||||
| Alerts: |
| ||||||||||||||
openssl: multiple vulnerabilities
| Package(s): | openssl | CVE #(s): | CVE-2009-1379 CVE-2009-1386 CVE-2009-1387 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 26, 2009 | Updated: | March 2, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
It was discovered that OpenSSL did not properly handle certain server certificates when processing DTLS packets. A remote DTLS server could cause a denial of service by sending a message containing a specially crafted server certificate. (CVE-2009-1379) It was discovered that OpenSSL did not properly handle a DTLS ChangeCipherSpec packet when it occured before ClientHello. A remote attacker could cause a denial of service by sending a specially crafted request. (CVE-2009-1386) It was discovered that OpenSSL did not properly handle out of sequence DTLS handshake messages. A remote attacker could cause a denial of service by sending a specially crafted request. (CVE-2009-1387) | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
pam_krb5: information disclosure
| Package(s): | pam_krb5 | CVE #(s): | CVE-2009-1384 | ||||||||||||||||||||
| Created: | June 29, 2009 | Updated: | March 31, 2010 | ||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry: A security flaw was found in PAM pam_krb5 module, providing user authentication based on Kerberos principals. A remote attacker could use this flaw to recognize, if some username/login belongs to set of user accounts, existing on the system, and subsequently perform dictionary based password guess attack. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
php: crash with corrupted JPEG file
| Package(s): | php | CVE #(s): | |||||
| Created: | June 29, 2009 | Updated: | July 1, 2009 | ||||
| Description: | From the PHP bug report: There seems to be a problem in exif_read_data(), where some fields representing offsets(?) are taken directly from the file without being validated, resulting in a segmentation fault. | ||||||
| Alerts: |
| ||||||
rt3: privilege escalation
| Package(s): | rt3 | CVE #(s): | |||||||||
| Created: | June 25, 2009 | Updated: | July 1, 2009 | ||||||||
| Description: | rt3 has a privilege escalation vulnerability. From the Fedora alert: Bug #506885 - rt3: privilege to edit 'RT at a Glance' unintentionally granted by "ShowConfigTab" right. | ||||||||||
| Alerts: |
| ||||||||||
samba: several vulnerabilities
| Package(s): | samba | CVE #(s): | CVE-2009-1886 CVE-2009-1888 | ||||||||||||||||||||||||||||||||||||||||
| Created: | June 26, 2009 | Updated: | December 7, 2009 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory: Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server. The Common Vulnerabilities and Exposures project identifies the following problems:
The smbclient utility contains a formatstring vulnerability where commands dealing with file names treat user input as format strings to asprintf. CVE-2009-1886 In the smbd daemon, if a user is trying to modify an access control list (ACL) and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to "yes" in the smb.conf and the user already has write access to the file. CVE-2009-1888 | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
seamonkey: multiple vulnerabilities
| Package(s): | seamonkey | CVE #(s): | |||||||||
| Created: | June 25, 2009 | Updated: | September 8, 2009 | ||||||||
| Description: | seamonkey has multiple vulnerabilities. From the Mozilla advisory: MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part MFSA 2009-32 JavaScript chrome privilege escalation MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests MFSA 2009-26 Arbitrary domain cookie access by local file: resources MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11) MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme | ||||||||||
| Alerts: |
| ||||||||||
smarty: PHP code injection
| Package(s): | smarty | CVE #(s): | CVE-2008-4810 | ||||||||||||||||
| Created: | June 25, 2009 | Updated: | August 18, 2010 | ||||||||||||||||
| Description: | Smarty has a PHP code injection vulnerability. From the National Vulnerability Database entry: The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka "php executed in templates;" and (2) a double quoted literal string, aka a "function injection security hole." NOTE: each vector affects slightly different SVN revisions. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
thunderbird: arbitrary code execution
| Package(s): | mozilla-thunderbird | CVE #(s): | CVE-2009-2210 | ||||||||||||||||||||||||||||
| Created: | June 29, 2009 | Updated: | July 16, 2009 | ||||||||||||||||||||||||||||
| Description: | From the CVE entry: Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a multipart/alternative e-mail message containing a text/enhanced part that triggers access to an incorrect object type. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>