Surviving the Week 8/31/12

XSS: Gaining Access to HttpOnly Cookie

Using the method getHeaderField in the Java HTTP API, any applet can access cookies with the HttpOnly flag set. This proves that enabling the HttpOnly flag does not protect you from XSS. Test your application with NTOSpider to find all possible Cross-Site Scripting in your web application.

Attackers releases Zero-Day Java Exploit

A major zero day exploit in Java was released last week. Oracle recently moved Java to a quarterly patch cycle with its next update scheduled for October. Oracle released an out of band update which should be applied immediately across all operating system platforms.  It is rumored that the exploit has found its way into the BlackHole exploit kit and it is available in Metasploit.  You’ll want to ensure that you are running Java version 7 update 7 OR Java version 6 update 35.

If you’re thinking to unplug Java from your browser or uninstall it from your computer completely, then it is a bit harder than point and click.

Number of vulnerabilities including .NET XSS

This week a number of vulnerabilities were posted and as critical as XSS, SQL Injection, Code execution, and authentication bypass. Following is a list of the top risk vulnerabilities discovered in some of the most commonly used web platforms i.e. .Net, Drupal, and WordPress… Test your application with NTOSpider to find security vulnerabilities in your application before production –

.NET Cross Site Scripting
AP NetWeaver HostControl Command Injection
Phorum 5.2.18 Cross Site Scripting
Drupal Apache Solr Autocomplete 6.x / 7.x XSS
Drupal CAPTCHA 6.x Access Bypass
Sistem Biwes SQL Injection / Path Disclosure
Drupal Views 6.x Privilege Escalation
Joomla Spider Calendar Lite SQL Injection
Drupal Taxonomy Image 6.x Cross Site Scripting / PHP Code Execution
Drupal Announcements 6.x Access Bypass
TomatoCart 1.1.7 Cross Site Scripting
Endonesia 8.5 CMS Publisher Module SQL Injection
Disqus Blog Comments SQL Injection
WordPress HD Webplayer 1.1 SQL Injection
EMC Cloud Tiering Appliance (CTA) Authentication Bypass
Plogger 1.0 RC1 Cross Site Scripting
Simple Web Server 2.2-rc2 Code Execution

About Dan Kuykendall 173 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.