Cenzic Research Lab Names Top Five Critical Web Application Vulnerabilities for July

Cenzic's Intelligent Analysis (CIA) research lab today named the top five most serious web application vulnerabilities for the month of July. CIA specializes in the continuous research of application vulnerabilities and the development of remediation strategies to assist customers with their web application security needs in enterprise environments.

In July, Cenzic identified and analyzed the most serious vulnerabilities announced by vendors and other third parties. The company's top five includes vulnerabilities in many of today's most widely used business platforms, including Oracle Reports and Lotus.

Under the auspice of CIA, Cenzic evaluates a wide range of newly discovered application vulnerabilities and prioritizes them based on their severity and potential to impact regulatory compliance, internal policy compliance, information privacy and financial losses. This information is released on a monthly or bi-monthly basis and can be used by enterprises as a first step in addressing the security of custom and commercial web applications.

The CIA team analyzed all web application security vulnerabilities discovered in July and selected the following for their severity and potential threat to common, widely used software and business environments:

1. Cross-Site Scripting Attacks in Oracle Reports

[CIA-1026-Alert]: http://www.cenzic.com/alerts/oracle-attacks-alerts.html

Vulnerability in Oracle Reports Server allows cross-site scripting attacks. Cross Site Scripting vulnerabilities allow an attacker to craft malicious scripts that can be executed within a victim's browser.

Enterprises can contact the vendor for a workaround or security fix. Additionally, customers using Oracle products should apply the Critical Patch update for July 2005. The cross-site scripting vulnerability discussed in this alert is not fixed by the critical patch update; however, the critical patch update does address other high-risk security issues.

2. Remote Command Execution via Malicious Report Content in Oracle Reports

[CIA-1027-Alert]: http://www.cenzic.com/alerts/malicious-report-alerts.html

This vulnerability in Oracle Reports Server makes it possible for a malicious user to disclose or alter system files, change system configuration, obtain access to critical system security files (.SAM), or install backdoors.

Enterprises should consult the page below for available workarounds for this security issue:http://www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html

3. File Access and Destruction Vulnerability in Oracle Reports

[CIA-1028-Alert]: http://www.cenzic.com/alerts/destruction-parameters-alerts.html

A vulnerability in Oracle Reports Server allows a remote user to overwrite arbitrary files on the server, resulting in potential loss of critical files, and possibly damaging the underlying operating system.

Unofficial workarounds for these security issues are available from the links below:

http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html and http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html

4. File Access Vulnerability in Oracle Reports

[CIA-1029-Alert]: http://www.cenzic.com/alerts/customize-parameter-alerts.html

A vulnerability in Oracle Reports allows a remote attacker to read fragments of arbitrary XML files on the Reports server, which could give a hacker the ability to access confidential information belonging to other users.

An unofficial workaround is described at: http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html

5. Lotus Domino R5/R6 Webmail Discloses Hashed Passwords to Any Authenticated User.

[CIA-1030-Alert]: http://www.cenzic.com/alerts/lotus-domino-alerts.html

A vulnerability in Lotus Domino R5/R6 Webmail allows a user to obtain encrypted password hashes for all users. The password hashes can then be subjected to brute force attacks to retrieve user credentials.

The vendor has released a workaround to address this problem, which is available in the CYBSEC S.A, Advisory at the URL below:

http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf

Cenzic uses a proprietary formula for calculating the severity of vulnerability information. Cenzic's risk metrics are subject to change without notice. The vulnerabilities selected for this alert were chosen due to one or more of the following factors: Origin -- the vulnerability could be exploited by unauthenticated remote users, Boundary -- the vulnerability would allow privilege escalation upon a successful attack, Popularity -- the software is widely used or deployed, Criticality -- the vulnerability fits the profile of the critical areas identified by OWASP, CSI, SANS, or other sources. That a particular vulnerability is rated as severe does not imply negligence on part of the author/maintainer/vendor of the affected software.

Cenzic has taken immediate steps to ensure that users of Cenzic Hailstorm are proactively alerted against these and other serious security vulnerabilities. CIA monitors security vulnerability information as it released to ensure that Hailstorm provides up-to-date, comprehensive, detection and remediation of the most severe application security vulnerabilities.