AppSec Blog

Weekly Roundup of @Risk Web Application Vulnerabilities


@RISK: The Consensus Security Vulnerability Alert

October 28th, 2010 Vol. 9. Week 44


Web Application - Cross Site Scripting

Web Application - SQL Injection

Web Application


Want to learn how to virtually patch these web application vulnerabilities? Come to the SANS@Night talk at the upcoming Cyber Defense Initiative (CDI) conference entitled:

Virtually Patching the SANS @Risk Web Vulnerabilities

- Ryan Barnett
- Tuesday, December 14, 2010 - 7pm to 8pm

What is your Time-to-Fix metric for remediating identified web application vulnerabilities? Is is measured in hours, days or months? Let's face the facts, there are many real world business scenarios where it is not possible to update web application code in either a timely manner or at all. This is where the tactical use-case of implementing a virtual patch to address identified issues proves its worth. This talk assumes that all attendees already understand the rationale and business justification of virtual patches and will instead focus on some real-world examples of web application vulnerabilities taken from the weekly SANS @Risk newsletter. We will walk through the steps of identifying the critical attack details, creating and testing a virtual patch using the open source ModSecurity web application firewall.


This Week's @Risk Spotlight

Best Practical Solutions RT (Request Tracker) ShowConfigTab Security Bypass

  • 10.44.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Best Practical Solutions RT (Request Tracker) ShowConfigTab Security Bypass
  • Description: RT (Request Tracker) is a web-based issue tracking system. RT is exposed to a security bypass issue because it does not properly restrict access, and allows arbitrary users with the "ShowConfigTab" permission to edit the global "RT at a Glance" resource.
  • Ref:
The link above provides an actual patch to the source code of the vulnerable MyRt.html file:
--- share/html/Admin/Global/MyRT.html
+++ share/html/Admin/Global/MyRT.html
@@ -83,6 +83,8 @@

my ($default_portlets) = $sys->Attributes->Named('HomepageSettings');

+my $has_right = $session{'CurrentUser'}->HasRight( Object=> $RT::System, Right => 'SuperUser');
my @panes = $m->comp(
panes => ['body', 'summary'],
@@ -91,8 +93,13 @@
current_portlets => $default_portlets->Content,
OnSave => sub {
my ( $conf, $pane ) = @_;
-$default_portlets->SetContent( $conf );
- push @actions, loc( 'Global portlet [_1] saved.', $pane );
+ if (!$has_right) {
+ push @actions, loc( 'Permission denied' );
+ }
+ else {
+ $default_portlets->SetContent( $conf );
+ push @actions, loc( 'Global portlet [_1] saved.', $pane );
+ }
As you can see from the "+" lines added by the patch, the new code is adding additional logic to verify that the current user actually has "SuperUser" rights within the application before allowing access to the resource. If they doesn't have this level of access, then a "Permission denied" message is returned. These types of Insufficient Authorization issues are a big problem with applications where attackers can uses forceful browsing methods to access resources regardless of whether there is a direct link to them or not.

S-CMS Multiple Local File Include Vulnerabilities

  • 10.44.32 - CVE: Not Available
  • Platform: Web Application
  • Title: S-CMS Multiple Local File Include Vulnerabilities
  • Description: S-CMS is a PHP-based application for content management. The application is exposed to multiple local file include issues because it fails to properly sanitize user-supplied input. S-CMS 2.0-Beta3 is affected.
  • Ref:
This vulnerability has to do with the S-CMS application not correctly handling Null Byte Injections (%00), which will allow an attacker to bypass filename restrictions. Example attacks from the vulnerability announcement include:
Note: Of course use null byte (%00) when you want to include a file with different extension to "php"

<<<<---------++++++++++++++ Condition: register global = ON +++++++++++++++++--------->>>>

[++] var --> 'lang'

~~~~~> http://[HOST]/[PATH]/?lang=[LFI]%00

<<<<---------++++++++++++++ Condition: Be admin user +++++++++++++++++--------->>>>

[++] GET var --> 'plug'

~~~~~> http://[HOST]/[PATH]/admin.php?op=admin&plug=[LFI]%00

<<<<---------++++++++++++++ Condition: Nothing +++++++++++++++++--------->>>>

[++] GET var --> 'file'

~~~~~> http://[HOST]/[PATH]/plugin.php?page=contact&file=[LFI]%00
As these examples show, by appending a Null Byte character (%00) to the end of the parameter payload, they are able to bypass filename restriction mechanisms and thus access other local files on the system. From a defensive perspective, it is recommended that you look for and either correctly handle Null Byte characters or alert when they are encountered. Once example of detecting Null Byte characters is shown in the OWASP ModSecurity Core Rule Set Project, in the modsecurity_crs_20_protocol_violations.conf file:
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateByteRange 1-255" \
"phase:2,rev:'2.0.8',block,log,msg:'Invalid character in request',id:'960901',
This rule allows all ASCII characters except for Null Bytes.

Post a Comment


* Indicates a required field.