In the world of security a lot can happen in three days. Lets take the popular web content management system Drupal. Over the past three days both Secunia and Security Focus have published a total of five Drupal vulnerabilities. Although These advisories have all been patched in the latest release of Drupal, many companies and organizations on the web rely on Drupal to handle their day to day business, but how many of them keep their installation up to date? Cross Site Scripting or HTML Injection, SQL Injection and security bypasses are just the attack vectors targeted in these five Drupal vulnerabilities.
I’ve been subscribed to the IDG Connect mailing list for a while now, while I don’t read all of the content they sent me this one caught my attention. I’m not going to be viewing this web cast since I have prior arrangements, but any one else is welcome to sign up for it. If your looking for a web application security primer this might be a good one. I’ll check it out once its finished if they put it online. It starts at 1PM EDT so, you’ve got about an hour and 10 minutes.
In the movies, getting past high-tech security is no joke. Like that scene in Minority Report when Tom Cruise has trouble hanging onto the squishy eyeball he needs to trick the retinal scanner. Or in Resident Evil, when the infiltration team meets up with those unfriendly lasers… Thankfully, in the real world, we’re not there yet. So it’s probably best to keep your eyes looking inwards, on the network. Learn the vulnerabilities of Web applications and how they put your organization at risk.
For a detailed overview of how you can test for vulnerabilities and the tools you need, register for the complimentary online presentation “Learn how to protect your corporate web application now! Web Application Security: Causes, Discovery and Remediation.”
This presentation, courtesy of eEye Digital Security and IDG Connect, will take place tomorrow, Tuesday, September 16, 2008 at 10:00 AM PDT/ 1:00 PM EDT. Register now, join your colleagues and have your questions answered live by expert presenters, all from the comfort of your PC.
We think you’ll find it both interesting and beneficial.
Proof of concept code has been released for the phpMyAdmin vulnerability and all versions prior to 2.11.9.1 need to be updated. The RC release of 3.0.0 is reportedly vulnerable also. RC2 was released this morning, I can not tell from the “Notes” section if RC2 fixes this problem. http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
Here is a round up of the interesting SQL injections that were reported today. If you run any of these make sure you update. If you don’t run any of these then you lucked out this time, but there is still time for more to be reported today.
phsBlog is a well liked script on hot scripts. Too bad they didn’t properly sanitize all of their inputs properly. This one could potentially leave a lot of people with holes in their blog.
vbLOGIX Tutorials SQL Exploit http://www.frsirt.com/english/advisories/2008/2563 http://secunia.com/Advisories/31829/
Product: http://www.vblogix.com/
There are so many open source “Tutorials” scripts out there that it seems silly to pay for one. vbLOGIX does have one you can pay for, and it just so happens that they now have a SQL injection. It does not disclose what information can be accessed via the SQL injection, but it could be anything, logins and passwords being the most dangerous or manipulations of data being minor (depending on your business).
Ruby on Rails “:limit” and “:offset” SQL Injection Vulnerabilities
http://www.frsirt.com/english/advisories/2008/2562
http://secunia.com/Advisories/31910/
Two vulnerabilities have been identified in Ruby on Rails, which could be exploited by remote attackers to execute arbitrary SQL queries. These issues are caused by input validation errors in ActiveRecord when processing the “:limit” and “:offset” parameters, which could be exploited by malicious people to conduct SQL injection attacks.
WebPortal “aid” Parameter Remote SQL Injection Vulnerability http://www.frsirt.com/english/advisories/2008/2560
Summary: “download.php” script when processing the “aid” parameter
I don’t exactly know why this “WebPortal” is listed as a vulnerability. There is no additional information as to who makes this product. WebPortals are pretty common on the web these days and think that this advisory should be more specific. Props to StAkeR for finding it though.
iBoutique “cat” Parameter Remote SQL Injection Vulnerability http://www.frsirt.com/english/advisories/2008/2561 http://www.netartmedia.net/iboutique/
iBoutique is an online “boutique” store, so naturally this should be given some credit. This one needs to be updated if you run it.
Vulnerability: A vulnerability has been identified in iBoutique, which could be exploited by attackers to manipulate and inject SQL queries. This issue is caused by an input validation error in the “index.php” script when processing the “cat” parameter while “mod” is set to “products”, which could be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information.
If you use phpMyAdmin you may not update as regularly as you should. It seems like every week they come out with an update. The thing about phpMyAdmin is they have updates because exploits are released, but when they update they add a bunch of features. These features, you may like or you may hate. Either way, your forced to update if you don’t want to be left exploited. Here is the “Fix list” for 2.11.9.1:
- bug #2031221 [auth] Links to version number on login screen
- bug #2032707 [core] PMA does not start if ini_set() is disabled
- bug #2004915 [bookmarks] Saved queries greater than 1000 chars
not displayed
- bug #2037381 [export] Export type “replace” does not work
- bug #2037375 [export] DROP PROCEDURE needs IF EXISTS
- bug #2045512 [export] Numbers in Excel export
+ [lang] Norwegian UTF-8 original file remerged
- bug #2074250 [parser] Undefined variable seen_from
- (2.11.9.1) [security] Code execution vulnerability
Now, I’ve removed the colors and formatting. They haven’t added any features in this one, its just a bug fix release. They put the [security] fix on the bottom, which to me is more important then any of the other “bugs”. The bugs are not in order, so I’m wondering why they put security at the bottom. Anyhow, a code execution vulnerability is not good, so update before you get owned.
SQL injection is a class of exploits where an attacker can gain access to a database to retrieve data, add or remove database entries, bypass authentication, or even gain complete control of your server.
The Federal Deposit Insurance Corp. (FDIC) has presented a letter of recommendation to all banks informing them of a list of best practice to secure their instution from spyware. The simple recommendations are supprisingly informative and are a good resource to inform friends and family.
How would you like to secure your RSS datafeed? It’s actually easier than you think, especially if you know a little C and have a little time on your hands…
The Internet Explorer Version 7 beta release date has been set to coinside with the release of of Windows Vista (aka Longhorn) and the unamed Longhorn server on…