Cenzic Research Lab Names Top Five Critical Web Application Vulnerabilities for May and June

July 28, 2006; 04:22 AM
Cenzic's Intelligent Analysis (CIA) research lab named the top five most serious web application vulnerabilities for the months of May and June 2006. CIA specializes in the continuous research of application vulnerabilities and the development of remediation strategies to assist customers with their web application security needs in enterprise environments.

Under the auspice of CIA, Cenzic evaluates a wide range of newly discovered application vulnerabilities and prioritizes them based on their severity and potential to impact regulatory compliance, internal policy compliance, information privacy and financial losses. This information is released on a monthly or bi-monthly basis and can be used by enterprises as a first step in addressing the security of custom and commercial web applications.

The CIA team analyzed all web application security vulnerabilities discovered in May and June and named the following as the top five most serious vulnerabilities for this time period:

1. Multiple Vulnerabilities in HP Openview

[CIA-1052-Alert]

Versions 5.1 and 5.5 of HP Openview Storage Data Protector are vulnerable to remote command injection attacks. Affected versions should apply the security fix discussed in the HP Security Bulletin HPSBMA02121 SSRT061157 rev 1. Additionally, versions 6.20, 6.4X, 7.01, and 7.50 of HP Network Node Manager were found to be vulnerable to attacks allowing unauthorized access to the server, the ability to create arbitrary files, and command execution. Affected sites should apply the security fix discussed at: http://www2.itrc.hp.com/service/cki/docDisplay.do?docId=c00672314 (login needed).

2. Multiple Vulnerabilities in Weblogic Server

[CIA-1053-Alert]

Multiple vulnerabilities were disclosed in versions of the Weblogic Server platform, including JSP Source Disclosure, JTA unencrypted Transactions, Domain Name Information Leak, Weblogic password log exposure, Weblogic Internal Network Information Disclosure, Weblogic Private Key Exposure, Weblogic stopweblogic.sh exposure, Quality of Service Error Information Leak, Admin Password Local Exposure, and JDBC Security Policy Vulnerability. Cenzic Hailstorm identifies these vulnerabilities to aid in the application of security fixes or upgrades. Affected sites should apply the respective security fixes, which can be accessed by visiting: http://dev2dev.bea.com/advisoriesnotifications/index.html

3. Multiple Vulnerabilities in PHP Hypertext Processor

[CIA-1054-Alert]

PHP version 5.1.3 (http://www.php.net/release_5_1_3.php) resolves the following security issues:

--  Disallow certain characters in session names
--  Fixed a buffer overflow inside the wordwrap() function
--  Prevent jumps to parent directory via the 2nd parameter of the
    tempnam() function
--  Enforce safe_mode for the source parameter of the copy() function
--  Fixed cross-site scripting inside the phpinfo() function
--  Fixed offset/length parameter validation inside the substr_compare()
    function
--  Fixed a heap corruption inside the session extension
--  Fixed a bug that would allow variable to survive unset()
    

4. PostgreSQL Encoding Processes May Let Remote Users Inject SQL Commands

[CIA-1055-Alert]

Versions of Postgres prior to 8.1.4, 8.0.8, 7.4.13, and 7.3.15 do not properly validate user-supplied input, allowing a remote attacker to conduct SQL injection attacks by supplying invalid multi-byte characters. Another vulnerability relates to the use of slashes to escape ASCII characters when multibyte encodings are in use, resulting in conditions where it is possible to perform SQL injection against the Postgres database. Security fixes can be found at: http://www.postgresql.org/docs/techdocs.50

5. Sun ONE and Sun Java System Application Server Cross-Site Scripting

[CIA-1056-Alert]

Sun ONE server version 7 prior to update 9 and multiple versions of the Java System Application Server and Enterprise Edition are susceptible to Cross-site Scripting. Security fixes have been released for affected sites including SPARC, x86, LINUX, and Windows. For additional information, please visit:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102479-1.

About Cenzic's Ratings

Cenzic uses a proprietary formula for calculating the severity of vulnerability information. Cenzic's risk metrics are subject to change without notice. The vulnerabilities selected for this alert were chosen due to one or more of the following factors:

--  Origin: the vulnerability could be exploited by unauthenticated remote
    users;
--  Boundary: the vulnerability would allow privilege escalation upon a
    successful attack;
--  Popularity: the software is widely used or deployed; and
--  Criticality: the vulnerability fits the profile of the critical areas
    identified by OWASP, CSI, SANS, or other sources.
    

That a particular vulnerability is rated as severe does not imply negligence on the part of the author/maintainer/vendor of the affected software.

Cenzic has taken immediate steps to ensure that users of Cenzic Hailstorm are proactively alerted against these and other serious security vulnerabilities. CIA monitors security vulnerability information as it is released to ensure that Hailstorm provides up-to-date, comprehensive, detection and remediation of the most severe application security vulnerabilities. For more information, please visit Cenzic's CIA website at http://www.cenzic.com/cia_research/ .

About Cenzic Intelligent Analysis (CIA) Research

The Cenzic Intelligent Analysis (CIA) team specializes in continuous research into application vulnerabilities and the latest tools and techniques used within the field of application security. The CIA team monitors the latest vulnerabilities and trends affecting application security by tracking Internet newsgroups, forums, mailing lists, and underground websites where vulnerability information is released, In addition to its research focus, CIA experts also perform vulnerability assessment, penetration testing, and security testing.

Cenzic has dedicated experts whose sole job is to perform ongoing research to not only analyze known vulnerabilities but also discover new or undisclosed vulnerabilities in custom, commercial, and open-source applications, and to make this information available to customers and to the community at large in the form of publications and security alerts. Cenzic Hailstorm is updated similar to anti-virus on a regular basis with new vulnerability information to give customers an advantage in staying ahead of new vulnerabilities.

About Cenzic

Cenzic is a leading provider of the next-generation enterprise software and a leading Managed Service offering for automated application security assessment and compliance that allows Fortune 1000 corporations, mid-sized corporations, and government organizations to dramatically improve the security of web applications. Cenzic® Hailstorm®, the most accurate and extensible product in the industry, enables security experts, QA professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities. Hailstorm benefits include reduced security risk and liability, lower development and testing costs, and faster time-to-market. Cenzic ClickToSecure™ service is one of the industry's first Software as a Service (SaaS) to combine the power of an enterprise-class application security assessment product with the flexibility of a managed security service. Cenzic Assessment Methodology completes the solution with a state-of-the-art business process consulting service to help customers improve their application security methodologies. Cenzic solutions are the most accurate, comprehensive, and extensible in the industry. Cenzic's current focus includes financial services, e-retail, healthcare, and government sectors. For more information, visit www.cenzic.com.