Cenzic Research Lab Names Top Five Critical Web Application Vulnerabilities

CGIDir
Friday, June 2, 2006; 06:39 AM

Cenzic's Intelligent Analysis (CIA) research lab named the top five most serious web application vulnerabilities for the months of March and April 2006. CIA specializes in the continuous research of application vulnerabilities and the development of remediation strategies to assist customers with their web application security needs in enterprise environments.

Under the auspice of CIA, Cenzic evaluates a wide range of newly discovered application vulnerabilities and prioritizes them based on their severity and potential to impact regulatory compliance, internal policy compliance, information privacy and financial losses. This information is released on a monthly or bi-monthly basis and can be used by enterprises as a first step in addressing the security of custom and commercial web applications.

The CIA team analyzed all web application security vulnerabilities discovered in March and April and named the following as the top five most serious vulnerabilities for this time period:

1. osCommerce Extras Directory Traversal Vulnerability

[CIA-1047-Alert]

osCommerce, a popular e-Commerce framework written in PHP, has a directory traversal vulnerability in version 2.2 and possibly earlier versions that allows an attacker to view files outside of the web server root directory using "../" characters. The attack allows arbitrary files to be viewed with the associated permissions of the web server process. Sites running affected versions should upgrade to a fixed version even if the "extras" package is not being used, or remove the "extras" directory until a solution is available.

Contact the osCommerce for additional information on solutions or fixes at: http://www.oscommerce.com/solutions/oscommerce

2. IBM Tivoli Business Systems Manager Cross Site Scripting

[CIA-1048-Alert]

The IBM Tivoli Business Systems Manager version 3.1 lacks sufficient input validation in one of its .jsp scripts, in that the script apwc_win_main.jsp fails to properly sanitize user input in the "skin=" parameter. This flaw allows a remote attacker to launch Cross Site Scripting attacks to steal user cookies, redirect the user to potentially dangerous content, and possibly exploit other browser-based flaws.

IBM has provided a security fix (LA interim fix, 3.1.0.1-TIV-BSM-LA0112 and LA interim fix, 3.1.0.1-TIV-BSM-LA0116). The vendor advisory provides additional information: http://www-1.ibm.com/support/docview.wss?uid=swg1OA14904

3. IBM Websphere Multiple Vulnerabilities

[CIA-1049-Alert]

A JSP disclosure affects Websphere versions 4.0.1 through 4.0.3. Under certain conditions the JSP source of files can be displayed rather than the intended page, disclosing confidential information and helping attackers find other vulnerabilities in the web application running on the Websphere Host.

-- Solution: Affected sites should apply the appropriate fix packs available from the vendor, or upgrade to a newer version (from 5.0 to 5.0.2.16; or from 5.1to 5.1.1.10). For additional information, login to the IBM website at: www.ibm.com/support/docview.wss?uid=swg21053738

Denial of service via overly long header values allows remote users to deny service on certain 5.X versions of Websphere, causing the server to crash. Affected versions include 5.0 release versions 5.0.2.15 and prior, and 5.1 release versions 5.1.1.9 and prior.

-- Solution: Vulnerabilities can be eliminated by APAR (PQ62144) as well as upgrading to version 4.0.4. For additional information, login to the IBM website at: www.ibm.com/support/docview.wss?uid=swg21053738

4. Microsoft Multiple Cross Site Scripting Vulnerabilities

[CIA-1050-Alert]

Cross Site Scripting vulnerabilities have been reported in Microsoft FrontPage Extensions 2002 and SharePoint Team Services, allowing an attacker to inject executable script into web applications that will execute with the permissions of the web server domain as its trust relates to the user's browser.

Microsoft has produced a number of patches to address the security issues outlined in MS06-17. Affected enterprises should consult the advisory to determine the extent to which particular server configurations or application versions are vulnerable: http://www.microsoft.com/technet/security/bulletin/ms06-017.mspx

5. Groupwise Accept-Language Header Buffer Overflow

[CIA-1051-Alert]

Novell Groupwise Messenger 2.0 is vulnerable to a remote buffer overflow in the processing of HTTP Header values, allowing an attacker to execute arbitrary code by injecting a malformed header value. The specific flaw resides in a Messenger Agent that typically listens on port 8300, which can be exploited by sending the web server a specially formatted Accept-Language Header.

The vendor has issued a fix for this vulnerability (2.0 Public Beta 2), and will include the security patch within Groupwise Messenger 2.0 SP1. For additional information visit: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm

Cenzic uses a proprietary formula for calculating the severity of vulnerability information. Cenzic's risk metrics are subject to change without notice. The vulnerabilities selected for this alert were chosen due to one or more of the following factors:

--  Origin: the vulnerability could be exploited by unauthenticated remote
    users;
--  Boundary: the vulnerability would allow privilege escalation upon a
    successful attack;
--  Popularity: the software is widely used or deployed; and
--  Criticality: the vulnerability fits the profile of the critical areas
    identified by OWASP, CSI, SANS, or other sources.
    

That a particular vulnerability is rated as severe does not imply negligence on the part of the author/maintainer/vendor of the affected software.

Cenzic also announced that it has taken immediate steps to ensure that users of Cenzic Hailstorm are proactively alerted against these and other serious security vulnerabilities. CIA monitors security vulnerability information as it is released to ensure that Hailstorm provides up-to-date, comprehensive, detection and remediation of the most severe application security vulnerabilities. For more information, please visit Cenzic's CIA website at http://www.cenzic.com/cia_research/.