Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!
VULNERABILITIES IN WEB APPLICATIONS
By Raymond Ankobia
The Internet has made the world smaller. In our routine usage we tend to overlook that "www" really does mean "world wide web" making virtually instant global communication possible. It has altered the rules of marketing and retailing. An imaginative website can give the small company as much impact and exposure as its much larger competitors. In the electronics, books, travel and banking sectors long established retail chains are increasingly under pressure from e-retailers. All this, however, has come at a price ever more inventive and potentially damaging cyber crime. This paper aims to raise awareness by discussing common vulnerabilities and mistakes in web application development. It also considers mitigating factors, strategies and corrective measures.
The Internet has become part and parcel of the corporate agenda. But does the risk of exposing information assets get sufficient management attention? Extension of corporate portals for Business-to Business (B2B) or developments of websites for Business-to-Customer (B2C) transactions have been largely successful. But the task of risk assessing vulnerabilities and the threats to corporate information assets is still avoided by many organisations. The desire to stay ahead of the competition while minimising cost by leveraging technology means the process is driven by pressure to achieve results. What suffers in the end is the application development cycle; - this is achieved without security in mind. Section 1 of this paper introduces the world of e-business and sets the stage for further discussions. Section 2 looks at common vulnerabilities inherent in web application development. Section 3 considers countermeasures and strategies that will minimise, if not eradicate. some of the vulnerabilities. Sections 4 and 5 draw conclusions and look at current trends and future expectations.
The TCP/IP protocol stack, the underlying technology is known for lack of security on many of its layers. Most applications written for use on the Internet use the application layer, traditionally using HTTP on port 80 on most web servers. The HTTP protocol is stateless and does not provide freshness mechanisms for a session between a client and server; hence, many hackers take advantage of these inherent weaknesses. TCP/IP may be reliable in providing delivery of Internet packets, but it does not provide any guarantee of confidentiality, integrity and little identification. As emphasised in [1], Internet packets may traverse several hosts between source and destination addresses. During its journey it can be intercepted by third parties, who may copy, alter or substitute them before final delivery. Failure to detect and prevent attacks in web applications is potentially catastrophic. Attacks are loosely grouped into two types, passive and active. Passive attackers [6] engage in eavesdropping on, or monitoring of, transmissions. Active attacks involve some modification of the data stream or creation of false data streams [6].
Read full feature:
features/features/vulnerabilities-in-web-applications
LinuxSecurity.com Feature Extras:
Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.
The Tao of Network Security Monitoring: Beyond Intrusion Detection - To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant.
Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).
Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Debian | ||
| Debian: New emacs21 packages fix arbitrary code execution | ||
| 17th, February, 2005
Updated package. advisories/debian/debian-new-emacs21-packages-fix-arbitrary-code-execution |
||
| Debian: New gftp packages fix directory traversal vulnerability | ||
| 17th, February, 2005
Updated package. advisories/debian/debian-new-gftp-packages-fix-directory-traversal-vulnerability |
||
| Debian: New bidwatcher packages fix format string vulnerability | ||
| 18th, February, 2005
Updated package. advisories/debian/debian-new-bidwatcher-packages-fix-format-string-vulnerability |
||
| Debian: New mailman packages really fix several vulnerabilities | ||
| 21st, February, 2005
Updated package. advisories/debian/debian-new-mailman-packages-really-fix-several-vulnerabilities-77313 |
||
| Debian: New squid packages fix denial of service | ||
| 23rd, February, 2005
Updated packages. advisories/debian/debian-new-squid-packages-fix-denial-of-service-8029 |
||
| Debian: New mod_python packages fix information leak | ||
| 23rd, February, 2005
Updated packages. advisories/debian/debian-new-modpython-packages-fix-information-leak |
||
| Fedora | ||
| Fedora Core 3 Update: kdeedu-3.3.1-2.3 | ||
| 17th, February, 2005
Updated package. advisories/fedora/fedora-core-3-update-kdeedu-331-23-08-52-00-118361 |
||
| Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.80 | ||
| 17th, February, 2005
Updated. advisories/fedora/fedora-core-3-update-selinux-policy-targeted-11730-280-22-23-00-118364 |
||
| Fedora Core 3 Update: policycoreutils-1.18.1-2.9 | ||
| 17th, February, 2005
Updated. advisories/fedora/fedora-core-3-update-policycoreutils-1181-29-22-24-00-118365 |
||
| Fedora Core 3 Update: gamin-0.0.24-1.FC3 | ||
| 18th, February, 2005
This update fixes a number of annoying bugs in gamin especially the Desktop update problem in the GNOME environment that affected a number of users. advisories/fedora/fedora-core-3-update-gamin-0024-1fc3-16-18-00-118386 |
||
| Fedora Core 3 Update: pcmcia-cs-3.2.7-2.2 | ||
| 21st, February, 2005
Updated package. advisories/fedora/fedora-core-3-update-pcmcia-cs-327-22-17-19-00-118397 |
||
| Fedora Core 2 Update: gaim-1.1.3-1.FC2 | ||
| 22nd, February, 2005
Updated package. advisories/fedora/fedora-core-2-update-gaim-113-1fc2-10-13-00-118404 |
||
| Fedora Core 3 Update: gaim-1.1.3-1.FC3 | ||
| 22nd, February, 2005
Updated package. advisories/fedora/fedora-core-3-update-gaim-113-1fc3-10-14-00-118405 |
||
| Fedora Core 3 Update: openssh-3.9p1-8.0.1 | ||
| 22nd, February, 2005
This update changes default ssh client configuration so the trusted X11 forwarding is enabled. Untrusted X11 forwarding is not supported by X11 clients and doesn't work with Xinerama. advisories/fedora/fedora-core-3-update-openssh-39p1-801-10-15-00-118406 |
||
| Fedora Core 3 Update: postgresql-7.4.7-3.FC3.1 | ||
| 22nd, February, 2005
Updated package. advisories/fedora/fedora-core-3-update-postgresql-747-3fc31-12-56-00-118407 |
||
| Fedora Core 2 Update: postgresql-7.4.7-3.FC2.1 | ||
| 22nd, February, 2005
Updated package. advisories/fedora/fedora-core-2-update-postgresql-747-3fc21-12-56-00-118408 |
||
| Fedora Core 2 Update: squid-2.5.STABLE8-1.FC2.1 | ||
| 22nd, February, 2005
This update fixes CAN-2005-0446 Squid DoS from bad DNS response advisories/fedora/fedora-core-2-update-squid-25stable8-1fc21-13-46-00-118409 |
||
| Fedora Core 3 Update: squid-2.5.STABLE8-1.FC3.1 | ||
| 22nd, February, 2005
This update fixes CAN-2005-0446 Squid DoS from bad DNS response advisories/fedora/fedora-core-3-update-squid-25stable8-1fc31-13-46-00-118410 |
||
| Fedora Core 3 Update: gimp-help-2-0.1.0.7.0.fc3.1 | ||
| 24th, February, 2005
Updated package. advisories/fedora/fedora-core-3-update-gimp-help-2-01070fc31-12-26-00-118424 |
||
| Gentoo | ||
| Gentoo: Midnight Commander Multiple vulnerabilities | ||
| 17th, February, 2005
Midnight Commander contains several format string errors, buffer overflows and one buffer underflow leading to execution of arbitrary code. |
||
| Gentoo: Squid Denial of Service through DNS responses | ||
| 18th, February, 2005
Squid contains a bug in the handling of certain DNS responses resulting in a Denial of Service. |
||
| Gentoo: GProFTPD gprostats format string vulnerability | ||
| 18th, February, 2005
gprostats, distributed with GProFTPD, is vulnerable to a format string vulnerability, potentially leading to the execution of arbitrary code. |
||
| Gentoo: gFTP Directory traversal vulnerability | ||
| 19th, February, 2005
gFTP is vulnerable to directory traversal attacks, possibly leading to the creation or overwriting of arbitrary files. |
||
| Gentoo: PuTTY Remote code execution | ||
| 21st, February, 2005
PuTTY was found to contain vulnerabilities that can allow a malicious SFTP server to execute arbitrary code on unsuspecting PSCP and PSFTP clients. |
||
| Gentoo: Cyrus IMAP Server Multiple overflow vulnerabilities | ||
| 23rd, February, 2005
The Cyrus IMAP Server is affected by several overflow vulnerabilities which could potentially lead to the remote execution of arbitrary code. |
||
| Mandrake | ||
| Mandrake: Updated cups packages fix | ||
| 17th, February, 2005
Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like cups, that use embedded versions of xpdf. The updated packages are patched to deal with these issues. |
||
| Mandrake: Updated gpdf packages fix | ||
| 17th, February, 2005
Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like gpdf, that use embedded versions of xpdf. The updated packages are patched to deal with these issues. |
||
| Mandrake: Updated kdelibs packages fix | ||
| 17th, February, 2005
A bug in the way kioslave handles URL-encoded newline (%0a) characters before the FTP command was discovered. Because of this, it is possible that a specially crafted URL could be used to execute any ftp command on a remote server, or even send unsolicited email. |
||
| Mandrake: Updated KDE packages address | ||
| 17th, February, 2005
Updated package. |
||
| Mandrake: Updated xpdf packages fix | ||
| 17th, February, 2005
Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications that use embedded versions of xpdf. The updated packages are patched to deal with these issues. |
||
| Mandrake: Updated PostgreSQL packages | ||
| 17th, February, 2005
A number of vulnerabilities were found. |
||
| Mandrake: Updated tetex packages fix | ||
| 17th, February, 2005
Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like tetex, that use embedded versions of xpdf. The updated packages are patched to deal with these issues. |
||
| Mandrake: Updated uim packages fix | ||
| 24th, February, 2005
Takumi ASAKI discovered that uim always trusts environment variables which can allow a local attacker to obtain elevated privileges when libuim is linked against an suid/sgid application. This problem is only exploitable in 'immodule for Qt' enabled Qt applications. The updated packages are patched to fix the problem. |
||
| Mandrake: Updated squid packages fix | ||
| 24th, February, 2005
The squid developers discovered that a remote attacker could cause squid to crash via certain DNS responses. The updated packages are patched to fix the problem. |
||
| Red Hat | ||
| RedHat: Low: cpio security update | ||
| 18th, February, 2005
An updated cpio package that fixes a umask bug and supports large files (>2GB) is now available. This update has been rated as having low security impact by the Red Hat Security Response Team advisories/red-hat/redhat-low-cpio-security-update-84799 |
||
| RedHat: Low: imap security update | ||
| 18th, February, 2005
Updated imap packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having low security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-low-imap-security-update-RHSA-2005-114-01 |
||
| RedHat: Low: vim security update | ||
| 18th, February, 2005
Updated vim packages that fix a security vulnerability are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-low-vim-security-update-21849 |
||
| RedHat: Important: cups security update | ||
| 18th, February, 2005
Updated cups packages that fix a security issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-cups-security-update-82866 |
||
| RedHat: Important: kernel security update | ||
| 18th, February, 2005
Updated kernel packages that fix several security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-kernel-security-update-85756 |
||
| RedHat: Moderate: imap security update | ||
| 23rd, February, 2005
Updated imap packages to correct a security vulnerability in CRAM-MD5 authentication are now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-imap-security-update-79652 |
||
| SuSE | ||
| SuSE: squid remote denial of service | ||
| 22nd, February, 2005
Squid is an Open Source web proxy. A remote attacker was potentially able to crash the Squid web proxy if the log_fqdn option was set to "on" and the DNS replies were manipulated. |
||
| SuSE: cyrus-imapd buffer overflows | ||
| 24th, February, 2005
This update fixes one-byte buffer overruns in the cyrus-imapd IMAP server package. |
||
