Open source software security

Drupal OM Maximenu Multiple Vulnerabilities

The Drupal OM Maximenu module, prior to versions 6.x-1.44 and 7.x-1.44, contains suffers from a number of vulnerabilities, including several arbitrary script injection (XSS) flaws. The module also gives users with permission to "Administer OM Maximenu" the ability to execute arbitrary PHP with no indication of the power of this privilege. This could allow attackers who gain access to accounts with this permission to compromise the host web server, attack other users, and more.

Drupal Inf08 Theme XSS Vulnerability

The Drupal Inf08 theme, prior to versions 6.x-1.10, contains a XSS vulnerability due to the fact that it fails to properly sanitize taxonomy terms before display. This could allow attackers who have the ability to create taxonomy terms to perform arbitrary script injection attacks via persistent cross site scripting.

Secure Web Application Penetration Testing

Engaging in a web application penetration test (pen test) is an increasingly common task for today's infosec professionals. Sadly, there's not a whole lot of guidance about how to begin this process with respect to basic logistics. A lot of testers simply set up a web server, install the software to test, and begin pounding away. This approach presents a number of issues, however. Careful consideration and measured approach are better investments of time and effort.

Web 3.0 is Mobile

Reviewing this morning's New York Times, skimming stories about Samsung counter-suing Apple over copyright infringement centering around patents for mobile technologies, and coverage of the recent Amazon E2 cloud services outage taking down sites like 4square, and flipping past advertisements for the new Apple iPad2, it occurred to me that the technology world is experiencing a seismic shift like nothing it has seen since the introduction of the internet. Mobile technology is booming, end running challenges formerly considered insurmountable, like the Germans circling the Maginot line.

Evaluating CMS Security

When evaluating content management systems (CMS) it is extremely important to include criteria covering security considerations. CMS'es are complex, and extremely powerful web applications, and as such present interesting security challenges. Although many of these challenges are not unique to CMS systems, they are often overlooked when performing product evaluations. CMS'es are quickly becoming the de facto standard for deploying web based information systems – from websites to complex web applications.

PHP Arbitrary File Include

File include vulnerabilities in PHP present a pervasive problem that eludes many efforts at remediation. Understanding the dangers posed by PHP include and require functions is critical to defending web application. There are many strategies for utilizing file inclusion safely to prevent against file include vulnerabilities (both local and remote) as well as directory traversal attacks and information disclosure vulnerabilities. Using native PHP functionality allows a developer to produce safe, and maintainable PHP based web applications.

MadIrish Webmail PHP Remote File Inclusion Vulnerability

Ah yes, you know you've arrived when http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3058. Turns out my oldest open source project, MadIrish Webmail (also at http://webmail.madirish.net), suffered from a PHP remote file inclusion vulnerability. Sort of embarrassing since I like to think of myself as a security professional. I'll chalk this one up to old code though and keep on plugging. I was able to respond to the vulnerability report in a fairly timely fashion even though for some reason SourceForge didn't actually send me an email.

Protecting Your LAMP Site with a Robots.txt Honeypot

One standard form of information discovery and reconnaissance used by malicious attackers is to scan a target website and search for robots.txt files. The robots.txt file is designed to provide instructions to spiders or web crawlers about a site's structure and more importantly to specify which pages and directories the spider should not crawl. Often these files are used to keep a spider from crawling sensitive areas of a website, such as administrative interfaces, so that search engines don't cache the existence of such pages and functionality. It is precisely for this reason that a malicious attacker will look in a robots.txt file - they often provide roadmaps to sensitive data and administrative interfaces.

Security Evaluation of Frog CMS

Frog CMS (http://www.madebyfrog.com/) is a lightweight content management system written in PHP that supports several back-end databases (including MySQL). "Frog CMS simplifies content management by offering an elegant user interface, flexible templating per page, simple user management and permissions, as well as the tools necessary for file management."

Frog CMS uses a robust, object oriented PHP codebase that eliminates many of the most common web application vulnerabilities found in PHP. Frog CMS does, however, have some deficiencies that should be cause for concern. The following are issues identified during a short code audit of the application...

Creating a Robots.txt Honeypot

One common method of attacker reconnaissance against a website is to inspect the robots.txt file. Normally this file is used to guide spiders and automated crawlers, but it can give away essential information about the location of administrative interfaces and other sensitive details. By salting the robots.txt file with fake entries, and then configuring the server to blacklist clients that call these fake entries, a server administrator can be alerted to probes of the robots.txt contents and attackers will be significantly slowed in their recon efforts.

Using Paros for Web Application Auditing and Debugging

Paros is a wonderful free Java based tool that is invaluable for web application auditing, testing, and debugging. Although Paros is well known in the web application security circles, it is less known in general web development circles. In this article I'll go over some of the great uses from Paros that cross over both realms. Paros' proxy feature is invaluable for inspecting traffic as it comes to and from your browser. This allows you to investigate things like how cookies are set, redirects being issued to a browser, and queries sent from the browser to the server. While Paros includes some automated scanning tools, these are rather weak and Paros really shows its strength in the hands of a skilled penetration tester who knows what to look for.

Web Hacking Lesson 6 - Arbitrary Code Execution Vulnerabilities

Arbitrary code execution vulnerabilities are the most damaging sorts of vulnerabilities to find in web applications. A web application that exposes an attacker to a direct connection provides an easy route for system compromise. At the very least this sort of application will ensure a server compromise. Discovering, and preventing, code execution vulnerabilities is critical for developers in order to protect the systems that host their web applications.

Web Hacking Lesson 5 - File Upload Vulnerabilities

File upload vulnerabilities (and local file disclosure vulnerabilities) are some of the most devastating vulnerabilities in PHP applications. Learning how to spot these sort of vulnerabilities, and prevent them, is critical to web application developers. In this, the fifth installment of the web hacking lessons, we explore how file file upload and local file inclusion vulnerabilities can be exploited to compromise a web application's security.

Web Hacking Lesson 3 - Brute Force

Brute forcing a web application is a method to bypass traditional authentication checks. Although brute forcing may seem like an attack that a PHP developer might not be able to mitigate, it is actually an important consideration when developing web applications.

Web Hacking Lesson 2 - SQL Injection

SQL injection attacks bear many of the same fundamental hallmarks as XSS attacks. At its core and SQL injection abuses the web application to introduce unintended functionality. SQL injection aims to escape out of the confines of a developer crafted SQL statement to alter the SQL. This tutorial/exercise demonstrates using SQL injection to bypass authentication. It also suggests several ways to mitigate the threat of SQL injection or prevent it altogether.

Web Hacking Lesson 1

This is the first in a series of training articles that goes hand in hand with a test site that should be downloaded and installed by the reader. The training is designed to help you gain experience with methods used by attackers to compromise web applications so you can build better applications and learn to defend your applications more successfully. This initial lesson covers Cross Site Scripting (XSS) attacks and includes instructions on downloading and installing the test application.

Securing User Input in Web Based Applications

User input validation is consistently one of the most widespread problems in software contributing to security incidents. Often times software developers assume that users will only provide valid user input, or that users will only provide user input in one form. Many web application developers fail to understand the hostile environment their code will be exposed to. Gathering input via a form doesn't guarantee that the only data passed to the form processing script will be passed by the form. Developers should not expect that input type, names, or formats will match those laid out in the form the developers produce.

Web Development with CVS

Versioning control is a concept that has been around for quite some time. It turns out that it works extremely well for web development as well. In many development environments several programmers and or designers might be working on the same project at once. This can make it difficult for the team to keep track of who made what changes, or which files are being worked on at what time.

Evaluating Open Source CMS Solutions

This is a white paper produced for the purpose of quantifying the evaluation of Open Source (OS) Content Management Systems (CMS). A fairly comprehensive look at how one goes about choosing an appropriate CMS.

PHP based Madirish Webmail Released

Madirish Webmail is a PHP, IMAP, and MySQL powered, web based mail user agent. Madirish Webmail provides a basic email client that sits on an POP3 server and allows for the standard view, reply, forward, delete functionality of emails. Email attachments are also supported. In addition to basic email functions, Madirish Webmail contains an Address Book and Calendar, both of which allow for records to be shared between authenticated users on a system. Multi-day and recurrant events can be scheduled on the Calendar as well. The download also includes and installer that will create all the necessary tables in the MySQL database to allow for easy set-up.

Designing a LAMP Based Online MUA

Documentation of my experimentation and eventual success with a system to import POP3 email into a MySQL database via a web interface.

Graduated Zoom Bar for ESRI Default Viewer

Sample code to create a 'Map Quest' like zoom in and zoom out bar for the ESRI default HTML viewer. Extensive knowledge of ESRI and the HTML viewer required to implement this code, so be warned :)

HTML Tutorial 04

Including images in your web pages, including getting them and generating new ones.

HTML Tutorial 02

Building a template, formatting text, and using links in your HTML pages.

Designing a Data Driven Website - Part II

Data modeling, building a solid foundation for your data driven site. By carefully considering your content and building a strong data model you can build a robust content display and management system. Careful attention to detail is critical at these early planning stages.