Open source software security

Drupal Hotblocks Module XSS and DoS Vulnerabilities

The Drupal HotBlocks module contains a persistent cross site scripting (XSS), or arbitrary script injection, vulnerability due to the fact that it fails to sanitize user supplied data before display. The HotBlocks module also suffers from a denial of service vulnerability due to a user triggered infinite code loop.

DLL Hijacking Storm a Brewin'

About three weeks ago a newly re-minted vulnerability class was announced on the Full Disclosure mailing list (http://seclists.org/fulldisclosure/2010/Aug/324). The class of vulnerability has actually been known to reverse engineers for a long time, but they used it to gain access to program flow to inspect existing code rather than for malicious purposes. In a nutshell the vulnerability hinges on the fact that some Windows programs will look for dynamic link libraries (DLL's) in their current working directory first before searching program and system directories.

Using Drupal XML-RPC to Bypass Authentication Failure Detection

Drupal provides robust, and largely ignored, XML remote procedure call (RPC) functionality. This functionality is available through the xmlrpc.php file that is available at the Drupal root in any installation. Any module can provide a hook into the XMLRPC interface by providing a moduleName_xmlrpc() function. However, some XMLRPC functionality allows malicious attackers to launch a brute force attack against a site without causing any login failure messages to appear in the site logs.

Drupal provides robust, and largely ignored, XML remote procedure call (RPC) functionality.

Udev Exploit Allows Local Privilege Escalation

A nasty new udev vulnerability is floating around in the wild that allows local users on Linux systems with udev and 2.6 kernels (2.6 is required for udev) to gain root privileges. Exploit code has been published and is quite easy to use. Secunia has an advisory at http://www.securityfocus.com/bid/34536 and a further discussion can be found at http://blog.cr0.org/2009/04/interesting-vulnerability-in-udevd.html.

Serious Vulnerability Reported in Google Chrome

A serious security vulnerability has been found in Google's new Chrome browser. Since the announcement of the new browser the security community has been putting it through the paces. Early reports indicated a few minor bugs and a vulnerability to the ubiquitous "carpet bomb" attack that has plagued other browsers. The new vulnerability reported is a full blown buffer overflow exploit that could allow remote attackers to execute malicious code with the privileges of the browser.

Debian OpenSSL Predictable Key Vulnerability

It seems Debian has introduced a critical flaw into the OpenSSL implementation that could allow an attacker to listen in on an encrypted web session or even an SSH session. What's worse is that even after an upgrade, old keys will still contain this vulnerability. This means that Debian (and Debian based systems - like Ubuntu) will have to patch/upgrade their systems and then regenerate all of their encryption keys. The Debian announcement can be found at Debian.org and the Ubuntu advisory can be found at Ubuntu.com. Update your systems as soon as you can! Update: It looks like code has been released to the wild to brute force ssh keys to gain unauthorized access to servers running the bad openssl code (with openssh and key authorization enabled):

MadIrish Webmail PHP Remote File Inclusion Vulnerability

Ah yes, you know you've arrived when http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3058. Turns out my oldest open source project, MadIrish Webmail (also at http://webmail.madirish.net), suffered from a PHP remote file inclusion vulnerability. Sort of embarrassing since I like to think of myself as a security professional. I'll chalk this one up to old code though and keep on plugging. I was able to respond to the vulnerability report in a fairly timely fashion even though for some reason SourceForge didn't actually send me an email.

Anatomy of Web Bugs

Web bugs are tracking tools used by HTML to track hits via server requests. They are almost ubiquitous in HTML spam, which is why you should use a text email reader. Article covers how web bugs work and how to use them.