Security
Static security analysis of Tizen apps
At the 2014 Tizen Developer Conference (TDC) in San Francisco, Dan Wallach of Rice University delivered a presentation about his ongoing work to perform security analysis of third-party apps written for Tizen mobile devices. While static analysis can never catch every violation of security rules, a framework that helps automate the process would simplify any "app store" review process, as well as providing side benefits to the app and platform developers.
Wallach's research is partly funded by Samsung, he disclosed at the beginning of his talk, but his presentation in no way indicates that he speaks on the company's behalf. Wallach works at Rice's Computer Security Lab, and co-leads a team of researchers and PhD students on this project. The target is performing automated, static analysis of mobile Tizen apps submitted to the app store, in order to reduce the amount of time that each app demands of a human reviewer.
Analysis of Tizen apps
Wallach's team is only investigating one piece of the app review process, of course. Tizen offers two development frameworks: HTML5/JavaScript and native code; Wallach's team is looking at native apps while someone else is doing similar work on analysis of HTML5 apps. But Tizen apps can also be compiled with either a GCC or LLVM toolchain; Wallach's team is focusing on analysis of the LLVM-generated apps.
![[Dan Wallach at TDC 2014]](https://static.lwn.net/images/2014/06-tdc-wallach-sm.jpg)
The reason is that the LLVM toolchain produces cross-platform LLVM "bitcode" executables (which are intended to run on either Intel or ARM hardware, both architectures that are supported by Tizen). The LLVM bitcode is an intermediate representation of the compiled program, designed to be optimized, he said, but that also means it is ripe for other forms of analysis. It preserves the high-level semantics of the program, unlike machine code, and it can be generated from multiple languages (unlike Java bytecode). Finally, it supports multiple architectures (which is of particular interest to the Tizen project), so one analysis framework would assist a lot of developers.
The security analysis performed by the team is static, he explained, meaning that the submitted app is not executed. Instead, the framework examines the program structure, flagging potential security problems. The basic idea is to mark points where app security is "tainted;" for example, in a potential information leak, such a point would have both a "source" call (e.g., requesting the device's GPS location) and a "sink" (e.g., sending some data to a remote server).
Obviously, if there is no conditional branching in the program flow between the source and the sink, it is trivial to determine if the program copies the GPS location into the data structure sent to the remote server, which could be a violation of security policy. Static analysis has to cope with the conditional flows, Wallach said. Historically, static analysis has been a conservative approach: assuming all branches in the code are taken, which can lead to false positives. It must also deal with other complexities such as pointer aliasing and object-oriented method dispatching, both of which introduce a lot of unknowns to cope with. On the other hand, he said, the opposite approach—dynamic analysis—tends to produce false negatives.
Control-flow analysis is not a new problem, of course, and there are existing approaches to reducing the potentially overwhelming number of false positives. The techniques do require some knowledge of the platform: knowing what the most likely vulnerabilities are, knowing what special cases should be allowed, and so on.
The group at Rice has been working for the past year to build an LLVM information-flow analysis engine for Tizen, though the project is far from finished. As of now, the group's work can statically analyze LLVM-bitcode Tizen apps, although Wallach pointed out that it does not analyze the Tizen libraries or kernel for vulnerabilities. Samsung provided the team with 30 apps as test cases, and the analysis found only one privacy leak, but just as importantly, it produced no false positives or false negatives. 30 apps (and 30 known apps, for that matter) is not a large test set, of course; an audience member asked Wallach if he would be interested in working on his company's library of 300 apps, to which Wallach replied "that would be fantastic."
The framework that the team is developing is intended to fit into the Tizen app-store submission process, so that new submissions are analyzed and a report is generated for a human analyst to look over. Security problems caught would send the app back to the developer for further work, but could also be used to help the Tizen project refine its security policies. Wallach noted that this approach differs from both Apple's app store review process and Google's; Apple's is secretive but apparently labor-intensive and slow, while Google's is known to be 100% automated and fast, but allows problematic apps to slip through.
What's next
The next stage of the ongoing research, Wallach said, is to perform similar analysis of the Tizen libraries. Everyone likes to think about their platform APIs as being discrete, orthogonal entities, he said—Bluetooth, Networking, Filesystem, etc.—each of which mediates access to some specific kernel-level feature. But in reality, they overlap quite a bit and share access to the same resources. In many cases they are interdependent, too.
That makes it difficult to construct strict security policies, as Tizen would like to do. For example, he described a well-known 1996-era Java vulnerability. The URL handler was intended to let an application retrieve a remote URL, but the URL-handling code also understood other protocol schemes like file:, which created a vulnerability. But simply blacklisting file: was not sufficient, since applications should be allowed to create and retrieve temporary files (for caching and so on).
The group's plan is to perform its static analysis on the Tizen libraries to map all of the platform APIs to kernel calls, then use that mapping to verify (and update) Tizen's Smack security policies. But the analysis will have other benefits, too. It can be adapted into the Tizen build process, so that any changes to the libraries that have security-policy implications can be flagged automatically. It will also allow higher-level APIs to be written while forbidding direct calls to lower-level dependencies.
Subsequently, the group may also annotate code with #pragma statements to denote exceptions to the security policy that a human auditor has determined is safe. The example he gave was an app doing a filesystem read to a cache file that it owns; an auditor can mark this with
#pragma SecurityAudited(OpenFile)
and eliminate a false-positive result in the automated analysis step. The group also intends to perform an information-flow analysis of the entire Tizen library set, and to analyze Tizen's multiple inter-process communication (IPC) mechanisms. When he was first approached about working with Tizen, Wallach recalled, he asked "what's your IPC mechanism?" and was a bit surprised at the answer: "which one?" Comparable work in Android, he noted, has uncovered and fixed many security holes.
Eventually, he concluded, as the Tizen app ecosystem grows, the "known bad behavior" patterns will emerge, and analysis can focus more directly on them. In the meantime, static analysis frameworks like his team is developing will help reduce the pressure put on Tizen's Smack policy maintainers (by consolidating and simplifying rules), and will help developers write safer apps. It may even be possible, he said, to eliminate the need to manually write app "manifest" files (which list the permissions that an app requires); if the analyzer can determine which privileges the app actually uses, that is better than a list of what it claims it needs.
There is always a risk that making the security analysis process public will have the side effect of showing app developers "what they can get away with," he admitted, but that trade-off is one that the project and app-store maintainers will have to make. Wallach's group has also not yet made its code available to the public; for the project to have a significant impact on Tizen (rather than just on Samsung's app store), such a release will, no doubt, eventually be needed by the rest of the community.
[The author would like to thank the Tizen Association for travel assistance to attend TDC 2014.]
Brief items
Security quotes of the week
Yes. Yes there are. The software we use contains thousands of mistakes -- many of them security vulnerabilities. Lots of people are looking for these vulnerabilities: Researchers are looking for them. Criminals and hackers are looking for them. National intelligence agencies in the United States, the United Kingdom, China, Russia, and elsewhere are looking for them. The software vendors themselves are looking for them.
Making end-to-end encryption easier to use (Google Online Security Blog)
The Google Online Security Blog has announced the alpha release of an OpenPGP-compliant end-to-end encryption extension for the Chrome/Chromium browser. "While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools. However, you won’t find the End-to-End extension in the Chrome Web Store quite yet; we’re just sharing the code today so that the community can test and evaluate it, helping us make sure that it’s as secure as it needs to be before people start relying on it. (And we mean it: our Vulnerability Reward Program offers financial awards for finding security bugs in Google code, including End-to-End.)"
Critical new bug in crypto library leaves Linux, apps open to drive-by attacks (Ars Technica)
Ars Technica reports on a buffer overflow in GnuTLS, which is an alternative to OpenSSL for SSL/TLS support. The length checks for the session ID in the ServerHello message were not correct, which allowed the overflow. "Maliciously configured servers can exploit the bug by sending malformed data to devices as they establish encrypted HTTPS connections. Devices that rely on an unpatched version of GnuTLS can then be remotely hijacked by malicious code of the attacker's choosing, security researchers who examined the fix warned. The bug wasn't patched until Friday [May 30], with the release of GnuTLS versions 3.1.25, 3.2.15, and 3.3.4. While the patch has been available for three days, it will protect people only when the GnuTLS-dependent software they use has incorporated it. With literally hundreds of packages dependent on the library, that may take time." This analysis shows how the bug could be exploited for arbitrary code execution.
Patch All The Things! New "Cupid" Technique Exploits Heartbleed Bug (PCMagazine)
Cupid is an exploit for the Heartbleed bug in OpenSSL that can target both servers and endpoints running Linux and Android, reports PCMagazine. "Luis Grangeia, a researcher at SysValue, created a proof-of-concept code library that he calls "Cupid." Cupid consists of two patches to existing Linux code libraries. One allows an "evil server" to exploit Heartbleed on vulnerable Linux and Android clients, while the other allows an "evil client" to attack Linux servers. Grangeia has made the source code freely available, in hopes that other researchers will join in to learn more about just what kind of attacks are possible."
New vulnerabilities
chkrootkit: privilege escalation
| Package(s): | chkrootkit | CVE #(s): | CVE-2014-0476 | ||||||||||||||||||||||||
| Created: | June 4, 2014 | Updated: | June 13, 2014 | ||||||||||||||||||||||||
| Description: | From the Debian advisory:
Thomas Stangner discovered a vulnerability in chkrootkit, a rootkit detector, which may allow local attackers to gain root access when /tmp is mounted without the noexec option. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
chromium-browser: multiple vulnerabilities
| Package(s): | chromium-browser | CVE #(s): | CVE-2014-1743 CVE-2014-1744 CVE-2014-1745 CVE-2014-1746 CVE-2014-1747 CVE-2014-1748 CVE-2014-1749 CVE-2014-3152 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 2, 2014 | Updated: | March 30, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
Use-after-free vulnerability in the StyleElement::removedFromDocument function in core/dom/StyleElement.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaScript code that triggers tree mutation. (CVE-2014-1743) Integer overflow in the AudioInputRendererHost::OnCreateStream function in content/browser/renderer_host/media/audio_input_renderer_host.cc in Google Chrome before 35.0.1916.114 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a large shared-memory allocation. (CVE-2014-1744) Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger removal of an SVGFontFaceElement object, related to core/svg/SVGFontFaceElement.cpp. (CVE-2014-1745) The InMemoryUrlProtocol::Read function in media/filters/in_memory_url_protocol.cc in Google Chrome before 35.0.1916.114 relies on an insufficiently large integer data type, which allows remote attackers to cause a denial of service (out-of-bounds read) via vectors that trigger use of a large buffer. (CVE-2014-1746) Cross-site scripting (XSS) vulnerability in the DocumentLoader::maybeCreateArchive function in core/loader/DocumentLoader.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to inject arbitrary web script or HTML via crafted MHTML content, aka "Universal XSS (UXSS)." (CVE-2014-1747) The ScrollView::paint function in platform/scroll/ScrollView.cpp in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to spoof the UI by extending scrollbar painting into the parent frame. (CVE-2014-1748) Multiple unspecified vulnerabilities in Google Chrome before 35.0.1916.114 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. (CVE-2014-1749) Integer underflow in the LCodeGen::PrepareKeyedOperand function in arm/lithium-codegen-arm.cc in Google V8 before 3.25.28.16, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a negative key value. (CVE-2014-3152) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
emacs: multiple vulnerabilities
| Package(s): | emacs | CVE #(s): | CVE-2014-3421 CVE-2014-3422 CVE-2014-3423 CVE-2014-3424 | ||||||||||||||||||||
| Created: | May 30, 2014 | Updated: | March 29, 2015 | ||||||||||||||||||||
| Description: | From the Red Hat bug report: Steve Kemp discovered multiple temporary file handling issues in Emacs. A local attacker could use these flaws to perform symbolic link attacks against users running Emacs. Original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747100 CVE-2014-3421 was assigned to the issue in lisp/gnus/gnus-fun.el Upstream fix: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00055.html CVE-2014-3422 was assigned to the issue in lisp/emacs-lisp/find-gc.el Upstream fix: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00056.html CVE-2014-3423 was assigned to the issue in lisp/net/browse-url.el (this one does not currently have a fix) Upstream note: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00057.html CVE-2014-3424 was assigned to the issue in lisp/net/tramp.el Upstream fix: http://lists.gnu.org/archive/html/emacs-diffs/2014-05/msg00060.html | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
gnutls: code execution
| Package(s): | gnutls26 | CVE #(s): | CVE-2014-3466 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 2, 2014 | Updated: | July 24, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Joonas Kuorilehto discovered that GNU TLS performed insufficient validation of session IDs during TLS/SSL handshakes. A malicious server could use this to execute arbitrary code or perform denial or service. This Red Hat bug report has some more information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
gnutls: NULL pointer dereference flaw
| Package(s): | gnutls | CVE #(s): | CVE-2014-3465 | ||||||||||||||||||||||||||||||||||||
| Created: | June 3, 2014 | Updated: | July 24, 2014 | ||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
A NULL pointer dereference flaw was discovered in GnuTLS's gnutls_x509_dn_oid_name(). The function, when called with the GNUTLS_X509_DN_OID_RETURN_OID flag, should not return NULL to its caller. However, it could previously return NULL when parsed X.509 certificates included specific OIDs | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
java: insecure random numbers
| Package(s): | IBM Java 6 | CVE #(s): | CVE-2014-0878 | ||||||||||||||||
| Created: | May 30, 2014 | Updated: | June 4, 2014 | ||||||||||||||||
| Description: | From the Novell bug entry:
The IBMSecureRandom component in the IBMJCE and IBMSecureRandom cryptographic providers in IBM SDK Java Technology Edition 5.0 before Service Refresh 16 FP6, 6 before Service Refresh 16, 6.0.1 before Service Refresh 8, 7 before Service Refresh 7, and 7R1 before Service Refresh 1 makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by predicting the random number generator's output. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
libarchive: multiple vulnerabilities
| Package(s): | libarchive | CVE #(s): | CVE-2010-4666 CVE-2011-1779 | ||||
| Created: | June 2, 2014 | Updated: | June 4, 2014 | ||||
| Description: | From the CVE entries
Buffer overflow in libarchive 3.0 pre-release code allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CAB file, which is not properly handled during the reading of Huffman code data within LZX compressed data. (CVE-2010-4666) Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted (1) TAR archive or (2) ISO9660 image. (CVE-2011-1779) | ||||||
| Alerts: |
| ||||||
libtasn1: multiple vulnerabilities
| Package(s): | libtasn1 | CVE #(s): | CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 3, 2014 | Updated: | March 29, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
Multiple buffer boundary check issues were discovered in libtasn1 library, causing it to read beyond the boundary of an allocated buffer. An untrusted ASN.1 input could cause an application using the library to crash (CVE-2014-3467). It was discovered that libtasn1 library function asn1_get_bit_der() could incorrectly report negative bit length of the value read from ASN.1 input. This could possibly lead to an out of bounds access in an application using libtasn1, for example in case if application tried to terminate read value with NUL byte (CVE-2014-3468). A NULL pointer dereference flaw was found in libtasn1's asn1_read_value_type() / asn1_read_value() function. If an application called the function with a NULL value for an ivalue argument to determine the amount of memory needed to store data to be read from the ASN.1 input, libtasn1 could incorrectly attempt to dereference the NULL pointer, causing an application using the library to crash (CVE-2014-3469). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
moodle: information leak
| Package(s): | moodle | CVE #(s): | CVE-2014-0217 | ||||||||||||
| Created: | May 30, 2014 | Updated: | June 4, 2014 | ||||||||||||
| Description: | From the Moodle security alert: Description: Access to files linked on HTML blocks on the My home page was not being checked in the correct context allowing access to unauthenticated users. Issue summary: Files linked in HTML blocks on My home are available to non authenticated users | ||||||||||||||
| Alerts: |
| ||||||||||||||
openstack-foreman-installer: insecure defaults
| Package(s): | openstack-foreman-installer | CVE #(s): | CVE-2013-6470 | ||||
| Created: | May 30, 2014 | Updated: | June 4, 2014 | ||||
| Description: | From the Red Hat advisory: It was discovered that the Qpid configuration created by openstack-foreman-installer did not have authentication enabled when run with default settings in standalone mode. An attacker able to establish a TCP connection to Qpid could access any OpenStack back end using Qpid (for example, nova) without any authentication. | ||||||
| Alerts: |
| ||||||
openstack-heat-templates: multiple vulnerabilities
| Package(s): | openstack-heat-templates | CVE #(s): | CVE-2014-0040 CVE-2014-0041 CVE-2014-0042 | ||||
| Created: | May 30, 2014 | Updated: | June 4, 2014 | ||||
| Description: | From the Red Hat advisory: It was discovered that certain heat templates used HTTP to insecurely download packages and signing keys via Yum. An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system. (CVE-2014-0040) It was found that certain heat templates disabled SSL protection for various Yum repositories (sslverify=false). An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system. (CVE-2014-0041) It was discovered that certain heat templates disabled GPG signature checking of packages via Yum (gpgcheck=0). An attacker could use this flaw to conduct man-in-the-middle attacks to install arbitrary packages on the system. (CVE-2014-0042) | ||||||
| Alerts: |
| ||||||
openstack-neutron: privilege escalation
| Package(s): | openstack-neutron | CVE #(s): | CVE-2013-6433 | ||||||||||||
| Created: | May 30, 2014 | Updated: | October 1, 2014 | ||||||||||||
| Description: | From the Red Hat advisory: It was discovered that the default sudo configuration provided in OpenStack Networking, which is specific to the openstack-neutron package shipped by Red Hat, did not correctly specify a configuration file for rootwrap, potentially allowing an unauthenticated user to escalate their privileges. | ||||||||||||||
| Alerts: |
| ||||||||||||||
openstack-nova: unintended file access
| Package(s): | openstack-nova | CVE #(s): | CVE-2014-0134 | ||||||||
| Created: | May 30, 2014 | Updated: | June 4, 2014 | ||||||||
| Description: | From the Red Hat advisory: It was found that overwriting the disk inside of an instance with a malicious image, and then switching the instance to rescue mode, could potentially allow an authenticated user to access arbitrary files on the compute host depending on the file permissions and SELinux constraints of those files. Only setups that used libvirt to spawn instances and which had the use of cow images disabled ("use_cow_images = False" in nova configuration) were affected. | ||||||||||
| Alerts: |
| ||||||||||
php5: denial of service
| Package(s): | php5 | CVE #(s): | CVE-2014-0237 CVE-2014-0238 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | June 2, 2014 | Updated: | July 7, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entries:
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls. (CVE-2014-0237) The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long. (CVE-2014-0238) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
policycoreutils: privilege escalation
| Package(s): | policycoreutils | CVE #(s): | CVE-2014-3215 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 30, 2014 | Updated: | March 29, 2015 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry: seunshare in policycoreutils 2.2.5 is owned by root with 4755 permissions, and executes programs in a way that changes the relationship between the setuid system call and the getresuid saved set-user-ID value, which makes it easier for local users to gain privileges by leveraging a program that mistakenly expected that it could permanently drop privileges. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
smb4k: credential cache leak
| Package(s): | smb4k | CVE #(s): | CVE-2014-2581 | ||||||||||||
| Created: | June 3, 2014 | Updated: | June 23, 2014 | ||||||||||||
| Description: | From the Smb4K 1.1.1 release notes:
Fixed potential security issue reported by Heiner Markert. Do not allow the cruid option to be entered via the "Additional options" line edit. Also, implement a check in Smb4KMountJob::createMountAction() that removes the cruid option from the custom options returned by Smb4KSettings::customCIFSOptions(). | ||||||||||||||
| Alerts: |
| ||||||||||||||
typo3-src: multiple vulnerabilities
| Package(s): | typo3-src | CVE #(s): | |||||
| Created: | June 2, 2014 | Updated: | February 23, 2015 | ||||
| Description: | From the Typo3 advisory:
It has been discovered that TYPO3 CMS is vulnerable to Cross-Site Scripting, Insecure Unserialize, Improper Session Invalidation, Authentication Bypass, Information Disclosure and Host Spoofing. Failing to properly validate the HTTP host-header TYPO3 CMS is susceptible to host spoofing. TYPO3 uses the HTTP host-header to generate absolute URLs in several places like 404 handling, http(s) enforcement, password reset links and many more. Since the host header itself is provided by the client it can be forged to any value, even in a name based virtual hosts environment. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>