Posts in Secure IT Practices

I told you so

Tuesday, April 24, 2007 by spaf in General, Kudos, Opinions and Rants, Secure IT Practices,

[tags]Windows, Office, malware, vulnerabilities[/tags]

This appeared in USA Today yesterday: Cyberspies exploit Microsoft Office. This is yet more support for my earlier post.

So, are you ready to join the movement -- stop sending Word documents in email?

Update 4/28: And here is yet another story of how Word files are being used against victims.

[posted with ecto]

The PHP App Insecurity Top 20

Wednesday, April 18, 2007 by Ed Finkler in Secure IT Practices,

I’ve spent some of my down time in the past couple weeks working with the NIST NVD data to get stats on PHP application vulnerabilities. What follows is a breakdown of the 20 PHP-based applications that had the highest aggregate vulnerability scores (NIST assigns a score from 1-10 for the severity of each entry), and the highest total number of vulnerabilities, over the past 12 months. Of the two, I feel that the aggregate score is a better indicator of security issues.

A few caveats:

The data here covers the period between April 1 2006 and April 1 2007.
This obviously only includes reported vulnerabilities. There are surely a lot more applications that are very insecure, but for one reason or another haven’t had as many reports.
I chose 20 as the cutoff mainly for the sake of making the data a little easier to swallow (and chart nicely). There are about 1,800 distinct apps in the NIST NVD that are (as far as I could determine) PHP-based.

Without further ado, here are the tepid Excel charts:

A couple notes:

There are 25 entries in the top “20” by vulnerability count, due to matching vulnerability counts.
I’d never even heard of MyBulletinBoard, the top entry in both lists. It hasn’t had any vulnerabilities in the NVD since September of 2006, which says something about how numerous and severe the entries between April and September 2006 were. This appears to be the same product as “MyBB,” so perhaps the situation has improved, as MyBB only has one NVD entry in the entire period (CVE-2007-0544).
Wordpress has had a bad start to 2007, with numerous vulnerabilities that significantly increased its ranking. March 2007 was particularly bad, with 7 new vulnerabilities reported.
Bulletin board/forum software is by far the most common type of application in the top 20. A couple forum apps that have very low numbers of vulnerability reports: Vanilla and FUDForum.

I do intend to keep this data up-to-date if people find it interesting, so let me know if you’d like me to do so, or if you’d like to see other types of analysis.

[tags]php, security, application security, vulnerabilities, nist, nvd, statistics[/tags]

Do Open Source Devs Get Web App Security? Does Anybody?

Tuesday, February 27, 2007 by Ed Finkler in Infosec Education, Kudos, Opinions and Rants, Policies & Law, Secure IT Practices,

Note: I've updated this article after getting some feedback from Alexander Limi.

A colleague of mine who is dealing with Plone, a CMS system built atop Zope, pointed me to a rather disturbing document in the Plone Documentation system, one that I feel is indicative of a much larger problem in the web app dev community.

The first describes a hole (subsequently patched) in Plone that allowed users to upload arbitrary JavaScript. Apparently no input or output filtering was being done. Certainly anyone familiar with XSS attacks can see the potential for stealing cookie data, but the article seems to imply this is simply a spam issue:

Clean up link spam

Is this a security hole? No. This is somebody logging in to your site (if you allow them to create their own users) and adding content that can redirect people to a different web site. Your server, site and content security is not compromised in any way. It's just a slightly more sophisticated version of comment spam. If you open up your site to untrusted users, there will always be a certain risk that people add content that is not approved. It's annoying, but it's not a security hole.

Well, yes, actually, it is a security hole. If one can place JavaScript on your site that redirects the user to another page, they can certainly place JavaScript on your site that grabs a user's cookie data and redirects that to another site. Whether or not they'll get something useful from the data varies from app to app, of course. What's worrisome is that it appears as if one of Plone's founders (the byline on this document is for Alexander Limi, whose user page describes him as “one of Plone's original founders.”) doesn't seem to think this is a security issue. After getting feedback from Alexander Limi, it seems clear that he does understand the user-level security implications of the vulnerability, but was trying to make the distinction that there was no security risk to the Plone site itself. Still, the language of the document is (unintentionally) misleading, and it's very reminiscent of the kinds of misunderstandings and excuses I see all the time in open-source web app development.

The point here is (believe it or not) not to pick on Plone. This is a problem prevalent in most open source development (and in closed source dev, from my experience). People who simply shouldn't be doing coding are doing the coding -- and the implementation and maintenance.

Let's be blunt: A web developer is not qualified to do the job if he or she does not have a good understanding of web application security concepts and techniques. Leaders of development teams must stop allowing developers who are weak on security techniques to contribute to their products, and managers need to stop hiring candidates who do not demonstrate a solid secure programming background. If they continue to do so, they demonstrate a lack of concern for the safety of their customers.

Educational initiatives must be stepped up to address this, both on the traditional academic level and in continuing education/training programs. Students in web development curriculums at the undergrad level need to be taught the importance of security and effective secure programming techniques. Developers in the workforce today need to have access to materials and programs that will do the same. And the managerial level needs to be brought up to speed on what to look for in the developers they hire, so that under-qualifed and unqualified developers are no longer the norm on most web dev teams.

PHPSecInfo v0.2 now available

Monday, February 26, 2007 by Ed Finkler in Infosec Education, R&D, Secure IT Practices,

The newest version of PHPSecInfo, version 0.2, is now available. Here are the major changes:

Added link to "more info" in output. These lead to pages on the phpsec.org site giving more details on the test and what to do if you have a problem
Modified CSS to improve readability and avoid license issue with PHP (the old CSS was derived from the output of phpinfo())
New test: PhpSecInfo_Test_Session_Save_Path
Added display of "current" and "recommended" settings in test result output
Various minor changes and bug fixes; see the CHANGELOG for details

-Download now

-Join the mailing list

As if we needed more evidence that register_globals is bad

Tuesday, January 16, 2007 by Ed Finkler in Kudos, Opinions and Rants, Secure IT Practices,

For the past few years, PHP security experts have been pounding on the heads of sysadmins to turn off register_globals. While default installs of PHP turn it off, some popular web apps (especially older versions) insist on using it, so some webhost sysadmins will turn it on, presumably to make things go smoothly for their customers. Oops! CVE-2007-0233, what seems like the 300th Wordpress vulnerability in the last two weeks, reports an sql injection vulnerability in Wordpress 2.0.6 (which was only released 11 days ago). The exploit appears to rely on register_globals being enabled, though:

funkatron@foo > php xpl.php foo.com /wp/

---------------------------------------------------------------------------
Wordpress < = 2.0.6 wp-trackback.php Zend_Hash_Del_Key_Or_Index /
/ sql injection admin hash disclosure exploit
(needs register_globals=on, 4 <= PHP < 4.4.3,< 5.1.4)
by rgod
dork: "is proudly powered by WordPress"
mail: retrog at alice dot it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------

pwd hash   ->
admin user ->
exploit failed...

This is a good example of why web app security (and any security, for that matter) must be multilayered: on the hardware level, on the server daemon level, on the language environment level, and on the code level. So, for the love of god, STOP ENABLING REGISTER_GLOBALS, upgrade to Wordpress 2.0.7, and (shameless plug) use PhpSecInfo to audit your PHP environment. ;)

Recent Blogs

Blog Archive

Posts in Secure IT Practices

Page Content

I told you so

Recent Blogs

Blog Archive