April 29th, 2009
Five 'must-secure' Web app vulnerabilities
Security holes in the Apache Geronimo Application Server and SAP cFolders headline a list of five serious Web app vulnerabilities that demand immediate attention.
According to Mark Painter from the HP Security Laboratory, the Geronimo flaws expose users to a variety of attack vectors that could lead to the theft of sensitive information and cookie-based authentication credentials. Here’s the top-five list from this past week:
1. Apache Geronimo Application Server
The free, open-source Apache Geronimo Application Server 2.1 through 2.1.3 is prone to multiple remote vulnerabilities.
- Multiple directory traversal vulnerabilities (see advisory)
- A cross-site scripting vulnerability (see advisory)
- Multiple HTML-injection vulnerabilities
- A cross-site request-forgery vulnerability (see advisory)
It’s important to note that attackers can exploit these issues to obtain sensitive information, upload arbitrary files, execute arbitrary script code, steal cookie-based authentication credentials, and perform certain administrative actions.
2. SAP cFolders
SAP cFolders is vulnerable to several cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
- SAP Cfolders Multiple Stored XSS Vulnerabilies (Digital Security)
- SAP Cfolders Multiple Linked XSS Vulnerabilities (Digital Security)
- SAP Cfolders Multiple Linked XSS Vulnerabilities (”Digital Security Research Group \[DSecRG\]” )
- SAP Cfolders Multiple Stored XSS Vulnerabilies (”Digital Security Research Group \[DSecRG\]” )
- SAP note 1284360 (SAP)
- SAP note 1292875 (SAP)
3. CS Whois Lookup
CS Whois Lookup is prone to a remote command-execution vulnerability because the software fails to adequately sanitize user-supplied input. Successful attacks can compromise the affected software and possibly the computer.
An attacker can exploit this issue using a browser. The following example URI is available.
There are not patches available yet. Contact CS Whois Lookup for information.
4. phpMyAdmin
There is a remote PHP code-injection vulnerability (PMASA-2009-4) affecting phpMyAdmin.
An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
This issue affects phpMyAdmin 3.x (prior to 3.1.3.2). Attackers can launch exploits issue via a browser. Patches are available.
5. Novell Teaming
A user-enumeration weakness and multiple cross-site scripting vulnerabilities expose users of Novell Teaming to a range of attack scenarios.
- A remote attacker can exploit the user-enumeration weakness to enumerate valid usernames and then perform brute-force attacks; other attacks are also possible.
- The attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
To exploit the cross-site scripting issue, the attacker must entice an unsuspecting victim to follow a malicious URI. The following example URI is available.
- Multiple Vulnerabilities in Novell Teaming (Bernhard Mueller )
- Novell Teaming username enumeration vulnerability fix (Novell)
- Novell Teaming Cross-Site Scripting Vulnerability fix (Novell)
Novell Teaming 1.0.3 is vulnerable; other versions may also be affected.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
