PHP-CGI Query String Parameter Vulnerability
A serious PHP vulnerability has been released today. Only sites running PHP as a CGI script are affected. From php.net:
Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an ‘indexed’ query. This is identified by a “GET” or “HEAD” HTTP request with a URL search string not containing any unencoded “=” characters.
By constructing a URL similar to the following on a PHP-CGI site, an attacker could dump the highlighted source of that script.
http://example.com/index.php?-s
php.net has issued a patch to fix this issue in PHP 5.3.12 or PHP 5.4.2. However, as pointed out by De Eindbazen, the patch is trivial to bypass.
A workaround has been provided by php.net using Apache’s mod_rewrite:
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC] RewriteRule ^(.*) $1? [L]
Other mitigation options have been proposed by De Eindbazen, but you may find the mod_rewrite method to be the best approach until a PHP releases a better fix.
Paravirtulization with Citrix XenServer 6.0 and Ubuntu 12.04
In light of everyone’s interest in how to set up Paravirtulization with Citrix XenServer 5.5 and Ubuntu 10.04 and Ubuntu Precise Pangolin 12.04 LTS being released, you may be interested in getting the new Long Term Support (LTS) version running in Paravirtualized (PV) mode.
Even more exciting is that while the latest version of Citrix XenServer 6.0.2 doesn’t come with an Ubuntu 12.04 template out of the box, the Ubuntu 12.04 officially supports Xen. The release notes proclaim:
Xen is now included and officially supported:
- Provides the facility to run Ubuntu as a Xen virtualisation host (dom0)
- Libvirt integration/Xen domains manageable through libvirt or any frontend that uses libvirt.
- Guest installations in HVM mode will use optimized paravirt drivers out of the box.
Read More
VPN DNS Resolving Woes in Ubuntu 12.04
If you have recently upgraded to Ubuntu 12.04, you may have experienced problems resolving hosts when using a DNS server over a VPN connection.
Here’s a likely situation… You’re finding that any hosts with a .local (or other private) suffix that are provided by the remote DNS server do not resolve. However, you can find the host by command line utilities, like nslookup and host.
Ubuntu has made significant changes to how DNS works; it’s moved to the resolvconf library for managing /etc/resolv.conf and uses dnsmasq as a local DNS resolver. Ubuntu Core developer Stéphane Graber has blogged about these changes, along with possible solutions to common problems.
In my case, after reading his blog post, I tried the solutions he provides to common problems. Nothing seemed to work. Then I stumbled across a question on Stack Overflow, which sounded strikingly similar.
It turns out that the problem is with how host names are being resolved in functions like gethostbyname(3). You could probably go through and edit /etc/nsswitch.conf like the Stack Overflow article describes, but you may not feel comfortable adjusting the file without knowing what the repercussions would be.
The real solution is to follow the recommendations from the Avahi project, which is what is causing the .local domains to resolve.
Here is a walk-through of the steps to fix this problem:
Open up a terminal and edit the following file:
sudo nano /etc/avahi/avahi-daemon.conf
Change the following line:
#domain-name=local
to
domain-name=.alocal
Save the file and exit: Hit Ctrl + o then Ctrl + x
Restart AVAHI:
sudo service avahi-daemon restart
You should now be able to resolve .local hosts provided by your VPN’s DNS server.
The Mythical Ruby Splat
Most Rubyists are aware of variable length arguments in a method definition. For example:
Just as a refresher, the * operator, commonly known as a “splat,” collects the arguments into an array object. So in the example above, the variable *names is an array object, which means it can be used just like any other array:
What blew my mind recently was stumbling across Ruby code where the name for the “splat” was missing. I assure you that this is valid Ruby code:
Read More
Secure Application Development and the OWASP Top 10
Some of you may already be familiar with the Open Web Application Security Project (OWASP) and its Top 10 2010 list due in part to Requirement 6.5 of the Payment Card Industry Data Security Standard (PCI DSS):
6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following:
Note: The vulnerabilities listed at 6.5.1 through 6.5.9 were current with industry best practices when this version of PCI DSS was published. However, as industry best practices for vulnerability management are updated (for example, the OWASP Guide, SANS CWE Top 25, CERT Secure Coding, etc.), the current best practices must be used for these requirements.
For those of you who are not familiar with OWASP and their Top 10, the OWASP Top 10 2010 was aimed at highlighting simple problems that can plague applications and ultimately undermine security. Given recent news stories, and the renewed interest of the general public in information security, I thought it was worth taking a run through each of the Top 10 as sort of a refresher. We’ll make sure to crosslink the various posts as we publish them.
Read More
Threat to Privacy all the Rage
The Internet has been abuzz recently concerning the changes that Google recently made to their privacy policy. Opinions following Google’s consolidation of dozens of separate privacy policies into a single policy seem to run the gamut but, as is often the case, those opposed to the change seem to have been speaking a bit louder.
While everyone is certainly entitled to their own opinions, Thomas Claburn over at InformationWeek Security does his best to explain why; in his words:
The outcry is both appropriate and ridiculous.
Read More
Statistical Analysis of the Impact of Data Breach Legislation
Recently, an interesting paper entitled “Empirical Analysis of Data Breach Litigation” was brought to my attention. A group of researchers took an empirical look at actual litigation events for data breaches under data breach notification statutes and arrived at some interesting conclusions. As it states in the abstract:
Our results suggest that the odds of a firm being sued in federal court are 3.5 times greater when individuals suffer financial harm, but over 6 times lower when the firm provides free credit monitoring following the breach.
For those interested, you can download the 27-page draft report.
Microsoft Remote Desktop Vulnerability Identified and may be in the Wild
Both Threatpost and the SANS Storm Center report that Microsoft RDP services are vulnerable. The exploit is rumored to be capable of crashing or causing denial of service attacks on vulnerable Windows machines.
Companies using RDP should install the Microsoft patch and, in the meantime, block off RDP from all sources except those absolutely required for the business.
IDA Pro Book, 2nd Edition - A Must-Have Reference
At last year’s Defcon, I wandered around the vendor area looking for the EFF to make a donation. While looking for the EFF, I came across the No Starch Press booth and noticed that they had the second edition of The IDA Pro Book. As an IDA user, I had always wanted to read the first edition, but never made the time to do so. I had previously read several other No Starch Press books though and found that they were top-notch, so I picked up a copy of the second edition of the IDA Pro Book with every intention of reading it sooner rather than later.
Read More
403 Labs, LLC Adds Two New Project Managers
Brookfield, WI – March 8, 2012 – 403 Labs, LLC, a leading information security consulting and services company, has added Meg Bridgeman and Justin Vermilyea to its staff as Project Managers.
As Project Managers, Meg and Justin will each be responsible for guiding client engagements from inception to completion by coordinating efforts between internal and external project teams. The expansion of the project management team will serve to enhance the already responsive, hands-on approach that 403 Labs takes to client engagements; an approach that has earned them a strong reputation amongst their clients and peers, and has led to steady growth for the organization.
“As 403 Labs enters its eighth consecutive year of growth, we continue to focus on expanding our service offerings and enriching our client relationships to provide our clients the support they need in working toward their compliance and security goals,” said D. J. Vogel, 403 Labs’s Principal. “Both Meg and Justin bring unique skill sets, experiences and personalities that will lend themselves toward enhancing interactions with our clients.”
Prior to joining 403 Labs, both Meg and Justin compiled valuable experience in a variety of roles. Meg’s previous positions included work as an Information Technology Operations Support Specialist, Sales Coordinator and Technical Writer. Justin had spent the last six years working as a Business Analyst and Systems Liaison for a website development company.
About 403 Labs
403 Labs is a full-service information security and compliance consulting firm. 403 Labs specializes in performing compliance audits, computer security assessments, penetration tests and computer forensic investigations. As a company with an international presence, 403 Labs has the privilege of working with leading financial institutions, payment card processors and merchants from around the world. 403 Labs’s team has extensive knowledge and experience in cross-industry verticals, including the payment card, financial, restaurant, hospitality, healthcare and educational sectors. 403 Labs is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA), a Payment Application Qualified Security Assessor (PA-QSA) and a PCI Forensic Investigator (PFI) certified to perform the requirements of the Payment Card Industry Data Security Standard (PCI DSS). For more information please visit www.403labs.com.
