Together CIA Lab and Vulnerable Sites Recommend Steps to Protect Against Hackers. ASP.NET Cross-Site Scripting Vulnerability Among the Top Five.

SANTA CLARA, CA  -- November 28, 2006 -- Cenzic's Intelligent Analysis (CIA) research lab today named the top five most serious web application vulnerabilities for October 2006. The CIA Lab specializes in the continuous research of application vulnerabilities and the development of remediation strategies to assist customers with their web application security needs in enterprise environments.

Cenzic's CIA Lab evaluates a wide range of newly discovered application vulnerabilities and prioritizes them based on their severity and potential to impact regulatory compliance, internal policy compliance, information privacy and financial losses. This information is released on a monthly or bi-monthly basis and can be used by enterprises as a first step in addressing the security of custom and commercial web applications.

Upon notification enterprises generally take action to remove the vulnerability, alert impacted users and, if necessary, release security fixes or upgrades.

According to Tom Stracener, senior security analyst for Cenzic CIA Labs, "In today's environment when vulnerabilities and advisories are released in high volume and from numerous industry sources, the Top 5 vulnerability list from CIA Labs helps enterprises attenuate the signal and focus on key vulnerabilities that affect major platforms and internet software."

The CIA team analyzed all web application security vulnerabilities discovered in October and named the following as the top five most serious vulnerabilities for this time period:

1. Novell eDirectory\iMonitor Host Header Buffer Overflow
[CIA-1065-Alert]

A vulnerability in Novell eDirectory 8.8.1 may allow an attacker to execute arbitrary code on the eDirectory server. Affected users should apply Novell's security fix for this vulnerability, 8.8.1 FTF1, which can be found at the Novell Support web site: http://support.novell.com/.

CVE Number(s):

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5478

2. Apache mod_tcl Format String
[CIA-1066-Alert]

A format string vulnerability was discovered in mod_tcl version 1.0 for Apache 2.x servers, whereby there is a risk of remote users executing arbitrary code. Affected users should upgrade to mod_tcl version 1.0.1 available at http://tcl.apache.org/mod_tcl/.

CVE Number(s):

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4154

3. Multiple Vulnerabilities in PHP
[CIA-1067-Alert]

Several high-risk security issues were recently disclosed in versions of PHP prior to 5.2.0. PHP is a widely used general-purpose scripting language used in Web development. Issues included heap overflows and other bugs that let users execute arbitrary code or cause denial of service conditions. Sites using vulnerable versions of PHP should upgrade to the latest stable release of PHP, 5.2.0, which is available from the vendor: http://www.php.net.

CVE Number(s):

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4020

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4482

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4483

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4484

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4485

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4486

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4812

4. osCommerce Cross-Site Scripting
[CIA-1068-Alert]

Multiple Cross-Site Scripting (XSS) vulnerabilities were discovered in osCommerce version 2.2. Sites using vulnerable versions should contact osCommerce support for information regarding a solution. As a temporary workaround, ensure that access to the /admin directory is properly secured. Fixed versions of osCommerce are released at: http://www.oscommerce.com.

CVE Number(s):

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5190

5. ASP.NET Cross-Site Scripting
[CIA-1069-Alert]

A vulnerability in ASP.NET 2.0 allows a remote attacker to perform Cross-Site Scripting attacks via AutoPostBack. Affected users should apply the appropriate security update from Microsoft. For more information, see http://www.microsoft.com/technet/security/bulletin/ms06-056.mspx.

CVE Number(s):

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3436

About CIA Lab Ratings

Cenzic's CIA Lab uses a proprietary formula for calculating the severity of vulnerability information. Cenzic's risk metrics are subject to change without notice. The vulnerabilities selected for this alert were chosen due to one or more of the following factors:

Origin:       unauthenticated remote users could exploit the vulnerability
Boundary:     the vulnerability would allow privilege escalation upon a
              successful attack
Popularity:   the software is widely used or deployed
Criticality:  the vulnerability fits the profile of the critical areas
              identified by OWASP, CSI, SANS, or other sources.

That a particular vulnerability is rated as severe does not imply negligence on the part of the author/maintainer/vendor of the affected software.

Cenzic has taken immediate steps to ensure that users of Cenzic Hailstorm are proactively alerted against these and other serious security vulnerabilities. CIA monitors security vulnerability information as it is released to ensure that Hailstorm provides up-to-date, comprehensive detection and remediation of the most severe application security vulnerabilities. For more information, please visit Cenzic's CIA website at http://www.cenzic.com/cia_research/.