Cenzic Research Lab Names Top Five Critical Web Application Vulnerabilities for November and December

Cenzic's Intelligent Analysis (CIA) research lab today named the top five most serious web application vulnerabilities for the months of November and December, 2005. CIA specializes in the continuous research of application vulnerabilities and the development of remediation strategies to assist customers with their web application security needs in enterprise environments.

Cenzic has identified and analyzed the most serious vulnerabilities announced by vendors and other third parties in November and December. The company's top five includes vulnerabilities in many of today's most widely used business platforms, including IBM WebSphere, Tomcat Server, PHP, Microsoft Internet Information Server and Apache.

Related Results

Under the auspice of CIA, Cenzic evaluates a wide range of newly discovered application vulnerabilities and prioritizes them based on their severity and potential to impact regulatory compliance, internal policy compliance, information privacy and financial losses. This information is released on a monthly or bi-monthly basis and can be used by enterprises as a first step in addressing the security of custom and commercial web applications.

The CIA team analyzed all web application security vulnerabilities discovered in November and December and selected the following for their severity and potential threat to common, widely used software and business environments:

1. PHP Flaw In parse_str() May Let Remote Users Turn On Register_Globals

[CIA-1037-Alert]

http://www.cenzic.com/cia_research/alerts/php_flaw-alert.php

A vulnerability in parse_str() allows a remote attacker remotely to modify the PHP configuration, turning on register globals and keeping it on for the duration of the attack. Turning on register_globals can introduce other security issues within an application, making it easier for an attacker to exploit other input validation or scripting based attacks against the application or server.

Affected enterprises should upgrade to a fixed version of PHP that prevents this behavior. The original advisory is available at: http://www.hardened-php.net/advisory_192005.78.html

2. Tomcat Server Lets Remote Attackers Deny Service Via Multiple Directory Requests

[CIA-1038-Alert]

http://www.cenzic.com/cia_research/alerts/tomcat_server-alert.php

A remote user can submit multiple requests to directories that allow directory listing and cause the server to cease functioning. The requests must be sent to directories that contain numerous files, but the number of requests required to cause this condition varies depending upon the environment. Attacking the server in this manner can interrupt normal operations and prevent the server from handling additional requests.

Affected sites are advised to Upgrade to version 5.5.12.

3. Apache Mod_Imap Cross-Site Scripting

[CIA-1039-Alert]

http://www.cenzic.com/cia_research/alerts/apache_mod_imap-alert.php

When Apache Server is configured with the mod_imap Module, and image maps are in use, it is possible for an attacker to launch Cross-Site Scripting (XSS) attacks against the server to execute arbitrary scripts or inject HTML. The vulnerability arises due to faulty input validation of the HTTP Referrer Field when mod_imap is installed. Any scripts that are injected in this manner will execute in the security context of the Apache Server.

Cross-Site Scripting allows an attacker to perpetrate a large number of actions, including cookie-credential theft, as well as exploiting browser-based security holes when the injected script involves redirection.

Enterprises can address this vulnerability by upgrading to a fixed version of Apache. Versions prior to 1.3.35-dev and 2.0.56-dev are vulnerable.

4. IBM WebSphere Insecure Sample Scripts Allow Cross-Site Scripting And Reveal Valid User Accounts

[CIA-1040-Alert]

http://www.cenzic.com/cia_research/alerts/ibm_websphere-alert.php

The IBM WebSphere server versions 6.0 ships with a number of sample scripts that contain security vulnerabilities. Sample scripts are usually placed on a server for demonstration purposes, but should be removed from production systems. Several WebSphere scripts contain input validation flaws that allow an attacker to conduct Cross-Site Scripting (XSS) attacks against the server, possibly compromising the security of the server itself or any web applications that are installed. The following scripts are known to contain input validation flaws that enable script injection:

--  PlantsByWebSphere/login.jsp
--  /TechnologySample/BulletinBoard
--  /TechnologySamples/Subscription/SubscriptionJSP.jsp
--  /TechnologySamples/MovieReview2_1/

Additionally, the PlantsByWebSphere/login.jsp page returns information during failed authentication attempts that permits an attacker to determine if the account for which credentials were supplied is a valid account on the system. This allows an attacker to mine the server for valid usernames, so that brute-force attacks against user accounts can be conducted.

Enterprises should contact the vendor directly for a security fix (http://www-306.ibm.com/software/websphere/).