WASC Announcement: Static Analysis Technologies Evaluation Criteria Published
The Web Application Security Consortium (WASC) is pleased to announce the Static Analysis Technologies Evaluation Criteria. The goal of the SATEC project is to create a vendor-neutral set of criteria to help guide application security professionals during the process of acquiring a static code analysis technology that is intended to be used during source-code driven security programs. This document provides a comprehensive list of criteria that should be considered during the evaluation process. WASC Static Analysis Technologies Evaluation Criteria http://projects.webappsec.org/Static%20Analysis%20Technologies%20Evaluation%20Criteria Target Audience: The target audience of this document is the technical staff of software organizations who are looking to automate parts of their application security assurance programs using one or more static code analysis technology, as well as application security professionals who are responsible for performing application security reviews. The document will take into consideration those who would be evaluating the technology and those who would actually be using it. Scope: The purpose of this document is to develop a set of criteria that should be taken into consideration while evaluating static code analysis tools or services for security testing. The vendor-neutral criteria defined in this document are selected using a consensus-driven review process comprised of volunteer subject matter experts. Every organization is unique and has a unique software development environment, this document aims to help organizations achieve their application security goals through acquiring the most suitable tool for their own unique environment. The document will strictly stay away from evaluating or rating vendors. However, it will focus on the most important aspects of static code analysis technologies that would help the target audience identify the best technology for their environment and development needs. Contributors: - Aaron Weaver (Pearson Education) - Abraham Kang (HP Fortify) - Alec Shcherbakov (AsTech Consulting) - Alen Zukich (Klocwork) - Arthur Hicken (Parasoft) - Amit Finegold (Checkmarx) - Benoit Guerette (NorthSec) - Chris Eng (Veracode) - Chris Wysopal (Veracode) - Dan Cornell (Denim Group) - Daniel Medianero (Buguroo Offensive Security) - Dinis Cruz (SecurityInnovation) - Gamze Yurttutan - Herman Stevens - Janos Drencsan - James McGovern (HP) - Jean-Marc Atchison (Centauri Technologies)) - Joe Hemler (Gotham Digital Science) - Jojo Maalouf (Hydro Ottawa) - Laurent Levi (Checkmarx) - Mushtaq Ahmed (Emirates Airlines) - Ory Segal (IBM) - Philippe Arteau - Sherif Koussa (Software Secured) [Project Leader] - Srikanth Ramu (University of British Columbia) - Romain Gaucher (Coverity) - Sneha Phadke (eBay) - Wagner Elias (Conviso) Contact: Participation in the Web Application Security Scanner Evaluation Criteria project is open to all. If you have any questions about the evaluation criteria, please contact Sherif Koussa ( sherif dot koussa at gmail dot com) Regards, - announcements () webappsec () org http://www.webappsec.org/ The Web Application Security Consortium
[SECURITY] [DSA 2666-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2666-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso May 12, 2013 http://www.debian.org/security/faq - - Package: xen Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1918 CVE-2013-1952 CVE-2013-1964 Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1918 (XSA 45) Several long latency operations are not preemptible Some page table manipulation operations for PV guests were not made preemptible, allowing a malicious or buggy PV guest kernel to mount a denial of service attack affecting the whole system. CVE-2013-1952 (XSA 49) VT-d interrupt remapping source validation flaw for bridges Due to missing source validation on interrupt remapping table entries for MSI interrupts set up by bridge devices, a malicious domain with access to such a device, can mount a denial of service attack affecting the whole system. CVE-2013-1964 (XSA 50) grant table hypercall acquire/release imbalance When releasing a particular, non-transitive grant after doing a grant copy operation Xen incorrectly releases an unrelated grant reference, leading possibly to a crash of the host system. Furthermore information leakage or privilege escalation cannot be ruled out. For the oldstable distribution (squeeze), these problems have been fixed in version 4.0.1-5.11. For the stable distribution (wheezy), these problems have been fixed in version 4.1.4-3+deb7u1. For the testing distribution (jessie), these problems have been fixed in version 4.1.4-4. For the unstable distribution (sid), these problems have been fixed in version 4.1.4-4. Note that for the stable (wheezy), testing and unstable distribution, CVE-2013-1964 (XSA 50) was already fixed in version 4.1.4-3. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGPnpQACgkQXm3vHE4uylrs9ACfee38DGGOYWz4iDO2bw2IQicP yl0AoIQTH3e+MWQDUdmAT3OOIQb9EMLV =FOiN -END PGP SIGNATURE-
[SECURITY] [DSA 2667-1] mysql-5.5 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2667-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff May 12, 2013 http://www.debian.org/security/faq - - Package: mysql-5.5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1502 CVE-2013-1511 CVE-2013-1532 CVE-2013-1544 CVE-2013-2375 CVE-2013-2376 CVE-2013-2389 CVE-2013-2391 CVE-2013-2392 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to a new upstream version, 5.5.31, which includes additional changes, such as performance improvements and corrections for data loss defects. For the stable distribution (wheezy), these problems have been fixed in version 5.5.31+dfsg-0+wheezy1. For the unstable distribution (sid), these problems have been fixed in version 5.5.31+dfsg-1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlGP7fUACgkQXm3vHE4uylqlywCfbAjmgJeD8bHXIVIkvMBEKlcb aiMAnj4Jqmct6e52m72Q3jiEGDl6qrIS =orFh -END PGP SIGNATURE-
[ MDVSA-2013:164 ] mesa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:164 http://www.mandriva.com/en/support/security/ ___ Package : mesa Date: May 13, 2013 Affected: Business Server 1.0 ___ Problem Description: Updated mesa packages fix security vulnerability: It was discovered that Mesa incorrectly handled certain arrays. An attacker could use this issue to cause Mesa to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2012-5129). Mesa has also been updated to version 8.0.5, fixing several bugs. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5129 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0143 ___ Updated Packages: Mandriva Business Server 1/X86_64: cb06a5cac3f9fa3f0d2c866598aa7a36 mbs1/x86_64/lib64dri-drivers-8.0.5-1.mbs1.x86_64.rpm f2a98f31e037cb3abca4bf4e7add59ba mbs1/x86_64/lib64gbm1-8.0.5-1.mbs1.x86_64.rpm 3db027f3349da9f87af8e255e7504e1e mbs1/x86_64/lib64gbm1-devel-8.0.5-1.mbs1.x86_64.rpm 9b0c52329f3c4315a6fe8bcf97bf5bbf mbs1/x86_64/lib64glapi0-8.0.5-1.mbs1.x86_64.rpm 261c0587b551dc3a2979e5a793bbd438 mbs1/x86_64/lib64glapi0-devel-8.0.5-1.mbs1.x86_64.rpm 9d25805e84c684bdf8aa8f76894403ee mbs1/x86_64/lib64mesaegl1-8.0.5-1.mbs1.x86_64.rpm 1f961b47739679365dc17c2391430123 mbs1/x86_64/lib64mesaegl1-devel-8.0.5-1.mbs1.x86_64.rpm 14a189a35767f5839f1be2860b28289a mbs1/x86_64/lib64mesagl1-8.0.5-1.mbs1.x86_64.rpm 8122ce03c2dff2f6a9ae68fe76d228ee mbs1/x86_64/lib64mesagl1-devel-8.0.5-1.mbs1.x86_64.rpm 3fe4404b1dedd68e95cbbb31a1a8f2b1 mbs1/x86_64/lib64mesaglesv1_1-8.0.5-1.mbs1.x86_64.rpm def8114e6723ab4464b767e000f3ec84 mbs1/x86_64/lib64mesaglesv1_1-devel-8.0.5-1.mbs1.x86_64.rpm 5977b769f9d51677d6e01144e34a6fd7 mbs1/x86_64/lib64mesaglesv2_2-8.0.5-1.mbs1.x86_64.rpm 277b2b772034d0cf063d8b50e0a1dd48 mbs1/x86_64/lib64mesaglesv2_2-devel-8.0.5-1.mbs1.x86_64.rpm 6280570c002cc5ae435eafc7ef9c7870 mbs1/x86_64/lib64mesaglu1-8.0.5-1.mbs1.x86_64.rpm 3fe7ab22b68cead65df8bb71594f940f mbs1/x86_64/lib64mesaglu1-devel-8.0.5-1.mbs1.x86_64.rpm 71b6233fe83c13368da65a10ce19be1e mbs1/x86_64/lib64mesaopenvg1-8.0.5-1.mbs1.x86_64.rpm 034793f6b661a284bce591d85696c0b4 mbs1/x86_64/lib64mesaopenvg1-devel-8.0.5-1.mbs1.x86_64.rpm 14eeccb8ce19479c5b213805c13d7e2a mbs1/x86_64/lib64wayland-egl1-8.0.5-1.mbs1.x86_64.rpm 234da3b9878104b5f18ae69e91f1e083 mbs1/x86_64/lib64wayland-egl1-devel-8.0.5-1.mbs1.x86_64.rpm 8cf136a1417283b68c3a5647f8737ea7 mbs1/x86_64/mesa-8.0.5-1.mbs1.x86_64.rpm 823a8c551215f69e3314f3feecd7c1f7 mbs1/x86_64/mesa-common-devel-8.0.5-1.mbs1.x86_64.rpm 5b6a05a53bf9ed88bda5359e53506e96 mbs1/SRPMS/mesa-8.0.5-1.mbs1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRkNAPmqjQ0CJFipgRAotZAKDj+mWdMvq4N2THnW2cM+hdL9niVACfXzEo yl1wawSnTIFwa8gY0rvSNYw= =/Hxj -END PGP SIGNATURE-
[RT-SA-2013-001] Advisory: Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution
Advisory: Exim with Dovecot: Typical Misconfiguration Leads to Remote
Command Execution
During a penetration test a typical misconfiguration was found in the
way Dovecot is used as a local delivery agent by Exim. A common use
case for the Dovecot IMAP and POP3 server is the use of Dovecot as a
local delivery agent for Exim. The Dovecot documentation contains an example
using a dangerous configuration option for Exim, which leads to a remote
command execution vulnerability in Exim.
Details
===
Product: Exim with Dovecot LDA and Common Example Documentation
Affected Versions: Example Configuration in Dovecot Wiki since
2009-10-23
Vulnerability Type: Remote Code Execution
Security Risk: HIGH
Vendor URL: http://www.exim.org http://www.dovecot.org
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2013-001
Advisory Status: public
Introduction
Dovecot is an open source IMAP and POP3 server. Dovecot is used both for
small and large installations because of its good performance and simple
administration. Exim is a message transfer agent developed at the
University of Cambridge, freely available under the terms of the GNU
General Public Licence. Both services are commonly used in tandem with
each other. Dovecot is often configured in Exim to handle mail delivery to
mailboxes.
The Dovecot wiki contains an example configuration for Exim to have
Dovecot handle mail delivery in conjunction with LDAP. Using Dovecot as
a local delivery agent (LDA) for Exim is a common use case for an
Exim/Dovecot server. The Dovecot wiki, which is also packaged as
documentation with the Dovecot source packages and many Linux
distribution packages, contains example configurations for Exim. One
configuration contains a dangerous option, which leads to a remote
command execution vulnerability in Exim. Since this configuration
concerns a very common use case of Dovecot with Exim and is widely
repackaged in distribution packages, users of Dovecot and Exim should
check their current configuration of Exim.
More Details
Dovecot and Exim can be used together without any further configuration
of the Exim mail delivery process. This will result in a configuration,
where Dovecot can access mails delivered to a mailbox of a user, but
message filtering through the Dovecot server-side filters is not
possible.
In order for server-side mail filtering by the Sieve implementation of
Dovecot to work, Dovecot provides its own local delivery agent (LDA).
This agent must be added to the Exim delivery configuration as a mail
transport. To make such a configuration work, Exim offers the
possibility to use pipe transports[1]. The Exim daemon then hands the
email messages over to an external program, in this case the Dovecot LDA
(on Debian GNU/Linux found at /usr/lib/dovecot/deliver).
The Dovecot-Wiki[2] and documentation propose, among others, a
configuration for using Exim with the Dovecot LDA and multiple UIDs
which are loaded from an external source, for example LDAP. It is
assumed that this configuration is often used as a template when
configuring new email servers, as coupling SMTP and POP3/IMAP servers
with an external user database like LDAP is common. Furthermore, this
example configuration is rather detailed. Therefore, it is estimated
that many administrators based their configuration on this one.
The example transport configuration from the Dovecot wiki is shown
below:
dovecot_deliver:
debug_print = T: Dovecot_deliver for $local_part@$domain
driver = pipe
# Uncomment the following line and comment the one after it if you
# want deliver to try to deliver subaddresses into INBOX.{subaddress}.
# If you do this, uncomment the local_part_suffix* lines in the router
# as well. Make sure you also change the separator to suit your local
# setup.
#command = /usr/lib/dovecot/deliver -e -k -s \
# -m INBOX|${substr_1:$local_part_suffix} \
command = /usr/lib/dovecot/deliver -e -k -s \
-f $sender_address -a $original_local_part@$original_domain
use_shell
environment = USER=$local_part@$domain
umask = 002
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
log_defer_output
return_fail_output
freeze_exec_fail
#temp_errors = *
temp_errors = 64 : 69 : 70 : 71 : 72 : 73 : 74 : 75 : 78
With the use_shell option, Exim is instructed not to start the program
directly, but rather expand all Exim variables and pass this string to a
shell afterwards, which then starts the LDA. The content of the variable
$sender_address can in most standard setups be controlled by an
attacker, its value is inserted verbatim into the string which is
supplied to the shell. This enables attackers to execute arbitrary shell
commands in the name
Wireless Disk PRO v2.3 iOS - Multiple Web Vulnerabilities
Title: == Wireless Disk PRO v2.3 iOS - Multiple Web Vulnerabilities Date: = 2013-02-26 References: === http://www.vulnerability-lab.com/get_content.php?id=883 VL-ID: = 883 Common Vulnerability Scoring System: 6.2 Introduction: = AirDisk Pro allows you to store, view and manage files on your iPhone, iPad or iPod touch. You can connect to AirDisk Pro from any Mac or PC over the Wi-Fi network and transfer files by drag drop files straight from the Finder or Windows Explorer. DOCUMENT READER: Support MS Office, iWork, Text HTML MULTIMEDIA PLAYER: An ability to in app create your own audio playlist with repeat, shuffle, background playback and remote control from multitask. HTTP/FTP PASSWORD PROTECTED: Files transfer between PC/Mac with password protected. FILE OPERATION: Move, Copy, Rename, Delete, Zip, Unzip, UnRAR, Create File and Folder. FILE SHARING: File sharing with other iPhone/iPad devices via Bluetooth or Wi-Fi connection with automatic search of nearest available devices around you. EASY FILE UPLOAD: Drag and drop files upload via your PC/Mac web browser or USB via iTunes File Sharing. TEXT EDITOR: Built-in text editor that allows you to edit your text files or source codes on your iOS device. IMPORT/ FILES CREATION: An ability to create text files, image captures, video records, voice recordings and import pictures from photo library. PASSCODE LOCK: An ability to protect your files from viewing by others. UNIVERSALITY: This app is developed for both iPhone and iPad, you need to purchase only once. AirDisk Pro features document viewer, PDF reader, music player, image viewer, voice recorder, text editor, file manager and support most of the file operations: like delete, move, copy, email, share, zip, unzip and more. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 ) Abstract: = The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the mobile Wireless Disk PRO v2.3 app for the apple ipad iphone. Report-Timeline: 2013-02-26: Public Disclosure Status: Published Affected Products: == Apple Product: Wireless Disk PRO 2.3 Exploitation-Technique: === Remote Severity: = Critical Details: 1.1 A local file include web vulnerability via POST request method is detected in the mobile Wireless Disk PRO v2.3 app for the apple ipad iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. The vulnerbility is located in the upload file module of the webserver (http://localhost:6566/) when processing to request a manipulated filename via POST. The execution of the injected path or file request will occur when the attacker is processing to reload to index listing of the affected module after the file include attack via upload. Exploitation of the vulnerability requires no user interaction and also without application user account (no password standard). Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack. Vulnerable Application(s): [+] Wireless Disk PRO v2.3 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload (Web Server) [Remote] Vulnerable Parameter(s): [+] filename Affected Module(s): [+] File - Index Listing 1.2 A local command injection web vulnerability is detected in the mobile Wireless Disk PRO v2.3 app for the apple ipad iphone. The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile application. The vulnerbility is located in the index module when processing to load the ipad or iphone device name. Local attackers can change the ipad or iphone device name to system specific commands and file/path requests to provoke the execution when processing to watch the index site of the application. Exploitation of the web vulnerability requires a local privilege device user account (standard) without user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific commands or file/path requests. Vulnerable Application(s): [+] Wireless Disk PRO v2.3 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Index Vulnerable Parameter(s): [+] device name Affected Module(s): [+] Header Device - Index File Dir Listing 1.3 A persistent input validation vulnerability is detected in the mobile Wireless Disk PRO v2.3 app for the apple ipad iphone. The bug allows an attacker (remote)
File Lite 3.3 3.5 PRO iOS - Multiple Web Vulnerabilities
== File Lite 3.3 3.5 PRO iOS - Multiple Web Vulnerabilities Date: = 2013-05-04 References: === http://www.vulnerability-lab.com/get_content.php?id=939 VL-ID: = 939 Common Vulnerability Scoring System: 5.9 Introduction: = You have tons of files you need to get from one device to another, so what do you do? You use File Pro, that’s what you do. App Chronicles! Multipurpose, Easy-to-Use and Robust app for files documents. Import files, documents media from PC/Mac, email attachments, dropbox, sugarsync, iCloud Box.net to File Pro along with amazing transfer features of FTP and Wifi. The only documents manager app which includes total security of files along with PDF scanner, Audio Recorder and editing TXT files. Open all kind of file documents including RAR and CBR files. (Copy of the Homepage: https://itunes.apple.com/de/app/file-pro-document-viewer-file/id537623975 ) [PRO VERSION] (Copy of the Homepage: https://itunes.apple.com/de/app/file-lite-document-viewer/id540971042 ) [LITE VERSION] Abstract: = The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the mobile File Lite 3.3 3.5 PRO iOS app (Apple - iPad|iPhone). Report-Timeline: 2013-05-04: Public Disclosure Status: Published Affected Products: == Apple AppStore Product: File Lite - Evereader Wi-Fi Sharing iOS 3.3 3.5 PRO Exploitation-Technique: === Remote Severity: = High Details: 1.1 A local file include and arbitrary file upload vulnerability is detected in the mobile File Lite 3.3 3.5 PRO iOS app (Apple - iPad|iPhone). The vulnerability allows remote attackers via POST method to include unauthorized remote files on the affected webserver file system. Remote attackers can also unauthorized implement mobile webshells by using multiple file extensions (*.php.js.gif) when processing to upload via POST request method. The attacker uploads a file with a double extension or multiple extensions and access the file in the secound step by usage of the directory webserver dir listing to compromise the apple iphone or ipad application. Exploitation of the local file include web vulnerability does not require user interaction and also no application user account. Successful exploitation of the web vulnerabilities results in app/service manipulation and ipad or iphone compromise via file include or unauthorized web-server file (webshell) upload attacks. Vulnerable Application(s): [+] File Lite 3.3 3.5 PRO - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload Vulnerable Parameter(s): [+] filename Affected Module(s): [+] File Dir Index Listing 1.2 A persistent input validation vulnerability is detected in the mobile Wifi Photo Transfer 2.1 1.1 Pro app for the apple ipad iphone. The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app web service. The vulnerability is located in the index file dir listing module of the webserver (http://localhost:8080/) when processing to display injected and via POST request method manipulated filenames. The persistent script code will be executed out of the main index file dir listing module when the service is processing to list the new malicious injected filename as item. Exploitation of the persistent web vulnerability requires low or medium user interaction without an application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] File Lite 3.3 3.5 PRO - ITunes or AppStore (Apple) Vulnerable Module(s): [+] File Upload Vulnerable Parameter(s): [+] Name Affected Module(s): [+] Filename - Index File Dir Name Listing 1.3 A client side cross site scripting web vulnerability is detected in the mobile Wifi Photo Transfer 2.1 1.1 Pro app for the apple ipad iphone. The vulnerability allows remote attackers to form manipulated urls to inject script code on client side application requests. The client side cross site scripting web vulnerability is located in the index section when processing to request the via GET a manipulated filename (value) as response. The vulnerability occurs when a remote attacker is changing the GET file request to own script code. The request will be executed on client side of the victims browser. Exploitation of the vulnerability does not require
