Security

The OWASP top ten web application vulnerabilities

The Open Web Application Security Project has issued a new version of its top-ten list of web application security vulnerabilities; the full version is available from the SourceForge download network in PDF format. The list is little changed from last year - web sites are still being attacked using the same sorts of vulnerabilities. This year's list is:

1. Unvalidated input, usually in the form of playing with HTTP requests. Many of the other problems on this list come down to input validation problems in the end.

2. Broken access control mechanisms. Access control is often an oversight, and often implemented poorly.

3. Broken authentication and session management. Among other things, the study points out that identifiers like session cookies must be protected by SSL or session hijacking is possible.

4. Cross-site scripting. ("The likelihood that a site contains XSS vulnerabilities is extremely high").

5. Buffer overflows. Web applications are certainly not unique in suffering from this class of vulnerabilities, of course. The paper singles out Java-based web applications as being immune to buffer overflow attacks.

6. Injection flaws with SQL injection topping the list.

7. Improper error handling which discloses internal information.

8. Insecure storage; being the failure to use (good) encryption when storing important information.

9. Denial of service, in all the usual ways.

10. Bad configuration management, such as the failure to apply security updates and poor system administration in general.

This is a daunting list for anybody trying to deploy any sort of web application in a secure manner. There are so many things which can go wrong. The risks of running a web application can be managed, however. The first step toward that end is developing an awareness of where the pitfalls lie; OWASP, in compiling its list, has helped us to take a step in that direction.

Comments (1 posted)

gaim: remote overflows

Package(s):	gaim	CVE #(s):	CAN-2004-0006 CAN-2004-0007 CAN-2004-0008
Created:	January 26, 2004	Updated:	February 17, 2004
Description:	Stefan Esser has discovered several vulnerabilities in Gaim 0.75. This advisory has details of 12 separate vulnerabilities.
Alerts:	Fedora FEDORA-2004-070 gaim 2004-02-16 Whitebox WBSA-2004:033-01 Gaim 2004-02-12 Conectiva CLA-2004:813 gaim 2004-02-10 Red Hat RHSA-2004:045-01 gaim 2004-02-09 Debian DSA-434-1 gaim 2004-02-05 Mandrake MDKSA-2004:006-1 gaim 2004-01-30 SuSE SuSE-SA:2004:004 gaim 2004-01-29 Gentoo 200401-04 gaim 2004-01-27 Mandrake MDKSA-2004:006 gaim 2004-01-26 Slackware SSA:2004-026-01 gaim 2004-01-26 Red Hat RHSA-2004:033-01 gaim 2004-01-23 Red Hat RHSA-2004:032-01 gaim 2004-01-23

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):	mod_python	CVE #(s):	CAN-2003-0973
Created:	January 27, 2004	Updated:	October 4, 2004
Description:	Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent. The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released. Users of mod_python 3.0.4 are not affected by this vulnerability.
Alerts:	Fedora-Legacy FLSA:1325 mod_python 2004-10-03 Conectiva CLA-2004:837 mod_python 2004-04-12 Whitebox WBSA-2004:058-01 mod_python 2004-03-01 Debian DSA-452-1 libapache-mod-python 2004-02-29 Red Hat RHSA-2004:058-01 mod_python 2004-02-26 Red Hat RHSA-2004:063-01 mod_python 2004-02-26 Gentoo 200401-03 mod_python 2004-01-27

Comments (none posted)

trr19 - privilege leakage

Package(s):	trr19	CVE #(s):	CAN-2004-0047
Created:	January 28, 2004	Updated:	January 28, 2004
Description:	The trr19 utility fails to drop group privileges, thus giving group access to a local attacker.
Alerts:	Debian DSA-430-1 trr19 2004-01-28

Comments (none posted)

CERT and Homeland Security get together

CERT has sent out a new announcement of its partnership with the U.S. Department of Homeland Security, which has been going on for a few months. "While this new partnership, known as US-CERT, has been low key, we have been working aggressively to upgrade our capabilities." This aggressive upgrade, for the moment, seems to consist of a new set of security bulletins for non-technical users.

Full Story (comments: none)

CodeCon program announced

The third annual CodeCon is happening February 20 to 22 in San Francisco. The program for the conference has been announced; click below for the details.

Full Story (comments: none)