Security
Brief items
OWASP Guide to Building Secure Web Applications
Congratulations to the Open Web Application Security Project on this, its first release. OWASP's Guide to Building Secure Web Applications" is now available in HTML or PDF format.
The Guide covers various web application security
topics from architecture to preventing attack
specifics like cross site scripting, cookie
poisoning and SQL injection. Its 80 pages of pure
web application security and no vendor marketing in
sight! The document is released under the GNU
documentation license and was a community volunteer
effort. Big kudos to all those involved.
The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com.
TCPA / Palladium Frequently Asked Questions
Ross Anderson has released version 0.1 of of TCPA / Palladium Frequently Asked Questions. Ross Anderson is the leader of the Computer Security Group at the University of Cambridge Computer Laboratory. His recent paper (available in PDF format) on security in open vs closed systems was the subject of articles in the New York Times and News.com as well as last week's Security page.BIND 4.9.8-OW2 and 4.9.9-OW1 released
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1) include fixes for a libc related vulnerability which does not affect Linux.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Details on the vulnerability are available in the CERT Advisory.
TurboLinux updates
Turbolinux, it seems, quietly put out a big pile of updated RPMs on the Turbolinux Security Center in the first half of June. No advisories, just RPMs. Although they do not address the current apache or ssh problems, this is still a welcome sign that TurboLinux may be taking security more seriously. We expressed concern with the lack of security updates from TurboLinux back in January.
Security reports
Apache worm on the loose
It is way past time to upgrade your Apache servers. A worm which takes advantage of the "chunk handling" vulnerability has been sighted, and its source has been publicly posted. For a list of distributor alerts, see the vulnerability report.The June 2002 Netcraft Web Server Survey estimated that as of July 1st there were still "around 14 Million potentially vulnerable Apache sites."
ZDNet covered the worm with articles on its history and speculation on the potential for a new wave of network attacks. Robert Lemos chronicled the mildness of the worm's impact so far for CNET News.com in articles published June 28th and July 1st. Capture of the worm in a honeypot system was reported on June 28th.
XSS not in stable Slashcode
Despite a report to the contrary this week, Jamie McCarthy assures us that the cross site scripting vulnerability which took down slashdot.org is not in the 2.2.5 release, or any other stable release. "The bug was introduced in CVS on June 17 and was fixed on July 1."Cross site scripting vulnerability in Betsie
Betsie version 1.5.11, and all versions before, have a cross site scripting vulnerability which is fixed in version 1.5.12.
Betsie stands for BBC Education Text to Speech Internet Enhancer, and is a simple Perl script which is intended to alleviate some of the problems experienced by people using text to speech systems for web browsing.
Acrobat reader 5.05 temporary files
Paul Szabo reports a symlink attack vulnerability in Acrobat Reader 5.05. Acroread uses a file it creates with wide open permissions (mode 666) in /tmp; "it also follows symlinks." Jarno Huuskonen reported a similar vulnerabilty in Acrobat Reader 4.05 last week.Xitami 2.5 Beta script injection vulnerabilities
Script injection vulnerabilities were reported in Xitami 2.5 Beta from iMatix. Xitami is a high performance portable web server.
New vulnerabilities
Apache mod_ssl off-by-one local code execution and DoS vulnerability
| Package(s): | libapache-mod-ssl mod_ssl | CVE #(s): | CAN-2002-0653 | ||||||||||||||||||||||||||||||||
| Created: | July 2, 2002 | Updated: | August 14, 2002 | ||||||||||||||||||||||||||||||||
| Description: | Mod-ssl provides strong cryptography for the Apache webserver
via the Secure Sockets Layer (SSL).
A maliciously-crafted .htaccess file, may
be used by an attacker to execute arbitrary
commands as the httpd user or launch a denial of service attack.
The problem is fixed in mod_ssl 2.8.10 which is available
from here.
For more information see the announcement. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
Resources
Apache and OpenSSH Vulnerabilities (Linux Journal)
Linux Journal explains to Linux newbies how to deal with the latest Apache and OpenSSH security vulnerabilities. "If you don't know for sure if your Linux box runs Apache or OpenSSH, you are at the greatest risk. We do not have space here to teach you about your package management tool. All we can say is take your system off the Net, learn how to check what you have installed and either remove these packages or upgrade them. Many Linux distributions come with services running "out of the box" and don't tell users about everything that is present. Do not assume that you're not running Apache or OpenSSH unless you know for sure how to check."
Linux Security Week
The July 1st Linux Security Week newsletter from LinuxSecurity.com is available.
Events
Registration for H2K2 New York City closes this week.
H2K2 is the next in the line of New York City hacker conferences
organized by volunteers and 2600. Panels of particular interest to this
list might include "Crypto for the Masses," "Databases and Privacy,"
"Educating Lawmakers - Is It Possible?," and "Secure Telephony."
Upcoming Security Events
| Date | Event | Location |
|---|---|---|
| July 12 - 14, 2002 | H2K2 "Hacker" conference | New York City |
| July 31 - August 1, 2002 | Black Hat Briefings 2002 | (Caesars Palace Hotel and Resort)Las Vegas, NV, USA |
| August 2 - 4, 2002 | Defcon | (Alexis Park Hotel and Resort)Las Vegas, Nevada |
| August 5 - 9, 2002 | 11th USENIX Security Symposium | San Francisco, CA, USA |
| August 6 - 9, 2002 | CERT Conference 2002 | Omaha, Nebraska, USA |
| August 19 - 21, 2002 | Canadian Security & Intelligence Conference(CSICON) | (Hyatt Regency)Calgary, Alberta Canada |
| August 28 - 30, 2002 | Workshop on Information Security Applications(WISA 2002) | Jeju Island, Korea |
For additional security-related events, included training courses (which we don't list above) and events further in the future, check out Security Focus' calendar, one of the primary resources we use for building the above list. To submit an event directly to us, please send a plain-text message to lwn@lwn.net.
Page editor: Dennis Tenney
Next page:
Kernel development>>