[Sunnet Alert] Advisory #208 - PHP (Multiple), QuickTime, Mod_security, Multiple News

Tue Mar 6 21:19:48 EST 2007

Sûnnet Beskerming Alert List Advisory #208

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	PHP (Multiple)
	- Remote Hacker Automatic Control
	- Time Since Discovery - 3 Days
1.2	QuickTime
	- Remote Hacker Automatic Control
	- Time Since Discovery - 1 Day
1.3	Mod_security
	- Remote Hacker Protection Bypass
	- Time Since Discovery - 1 Day
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Scripting Languages Under Threat
2.2	I Know Where Your Browser Has Been
=======================================

1.	SECURITY

1.1	PHP (Multiple) - Remote Hacker Automatic Control

	-- Products Affected --
	CVS Version of PHP
	PHP 4.4.3 - 4.4.6
	Zend Platform 2.2.3 and earlier

	-- Technical Description --
	MOPB-06-2007 - Local privilege escalation due to insecure script  
permissions set on default installation of Zend Platform.
	MOPB-07-2007 - Local privilege escalation due to vulnerability in  
ini_modifier associated with Zend Platform.
	MOPB-08-2007 - XSS vulnerability in phpinfo() in PHP 4.4.3 - 4.4.6  
where GET, POST, COOKIE content is not escaped prior to display.
	MOPB-09-2007 - Buffer overflow (arbitrary code execution) in  
wddx_deserialize() in the CVS version of PHP.

	-- Description --
	The second batch of vulnerabilities released as part of the MOPB  
project have been released, identifying vulnerabilities in phpinfo()  
and the Zend Platform

	-- Recommended Action --
	Update to the latest non-CVS version of PHP, as well as Zend  
Platform 3 (if it is being used).

	-- Source --
	http://www.php-security.org

	-- Threat Matrix --
			U	O
	Home User	9	9 (Critical)
	Corporate	9	9 (Critical)

1.2	QuickTime - Remote Hacker Automatic Control

	-- Products Affected --
	QuickTime 7.1.4 and earlier

	-- Technical Description --
	Eight distinct remote code execution vulnerabilities have been  
patched with this latest release of QuickTime.  Specifically, the  
patch provides protection against heap overflow errors when  
processing MIDI, PICT, or QTIF files; protection against integer  
overflows when handling 3GP, QTIF and UDTA data; and stack and buffer  
overflows when handling QTIF and QuickTime media.

	-- Description --
	Apple have released a critical update for their QuickTime media  
codec and associated player, addressing several serious issues with  
the codec, which could allow remote attackers to take control over  
vulnerable user systems by convincing the victim to interact with a  
malicious media file (such as visiting a website with the file  
embedded on it).

	-- Recommended Action --
	Update to QuickTime 7.1.5 at the earliest opportunity.  According to  
reports received by the ISC, this update needs to be downloaded and  
installed manually, as the inbuilt updater will not correctly  
identify this as an available update.

	-- Source --
	http://docs.info.apple.com/article.html?artnum=305149

	-- Threat Matrix --
			U	O
	Home User	9	9 (Critical)
	Corporate	9	9 (Critical)

1.3	Mod_security - Remote Hacker Protection Bypass

	-- Products Affected --
	Mod_security 2.1.0 and earlier (and many scripting languages)

	-- Technical Description --
	Mod_security does not properly handle POST data that contains an  
ASCIIZ byte at the start of the string, passing it through without  
modification to the scripting language (Python, Perl, PHP, others),  
allowing potentially malicious script injection.

	-- Description --
	The web application firewall, mod_security, has been found to be  
vulnerable to a simple attack that will completely bypass any  
protection provided to POST data that is submitted to a script  
protected by mod_security.  Because of the simplicity of the attack,  
and the number of scripting languages potentially vulnerable to  
exploitation as a result, this is a very serious problem that web  
application developers need to be aware of.

	-- Recommended Action --
	Apply the patches from mod_security as soon as they become  
available, and re-evaluate the handling of POST data by web  
applications.

	-- Source --
	http://www.php-security.org/

	-- Threat Matrix --
			U	O
	Home User	9	9 (Critical)
	Corporate	9	9 (Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Scripting Languages Under Threat

The mod_security vulnerability covered above raises a serious problem  
for maintainers of web applications that were previously protected by  
a mod_security installation.  Because of the different way that  
mod_security and many scripting languages handle the presence of an  
ASCIIZ byte in the POST data field, mod_security will essentially  
ignore the content of the POST field, while many scripting languages  
will treat it as just another piece of data in the POST field and  
will happily process the rest of the data field.

The biggest impact will be on sites and administrators that run  
mod_security in an effort to track and protect against potential data  
injection via common POST or GET opportunities.  Now that it is  
possible to easily bypass mod_security, without it identifying the  
attempt, attackers will be able to avoid detection on at least one  
level when conducting probes against / cracking into vulnerable web  
applications.

2.2	I Know Where Your Browser Has Been

After recent work by Jeremiah Grossman and a number of other well  
known web application researchers, it was discovered that attackers /  
researchers could use JavaScript to assess the browsing history of a  
browser, without the user's knowledge.  Of course, disabling  
JavaScript while online will prevent against this particular method  
of discovery.

In the last few days, a new method has been disclosed which no longer  
requires the use of JavaScript.  Instead, this method takes advantage  
of specific CSS behaviour to look at what sites have been visited in  
recent history, and then make that data available to the server.   
This particular discovery (still in its early stages) has the  
potential to allow researchers / attackers to ascertain the browsing  
history of site visitors, even if they have disabled JavaScript in an  
effort to stay safe online.

Recent discoveries by the ISC have turned up malicious JavaScript  
that even has basic anti-analysis code built in, that will trap  
people trying to use procedures such as <textarea></textarea> to  
identify and investigate malicious script.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.