Top 10 vulnerabilities in Web applications in Q1 2007

Cenzic released its Application Security Trends Report – Q1 2007 with some alarming findings. The report provides a thorough analysis of reported vulnerabilities, including the most threatening, Web application probes, attack statistics and key findings. While this report highlights the Top 10 vulnerabilities in commercial and open source applications, Cenzic believes that the problem is much worse if you factor in proprietary home grown applications, as these typically contain a large number of vulnerabilities.

In this study, Cenzic identified 1,561 unique vulnerabilities during the first quarter of 2007. Of the reported vulnerabilities, file inclusion, SQL injection, cross-site scripting and directory traversal were the most prevalent, totaling 63 percent. The majority of vulnerabilities affected Web servers, Web applications and Web browsers, with Cenzic classifying the bulk as easily exploitable.

Top Ten Vulnerabilities in Commercial and Open Source Web Applications from Q1 2007:

– Adobe Acrobat Reader Cross-Site Scripting and Code Execution – Several vulnerabilities were reported, including the ability for a remote user to cause arbitrary code to execute on the target user’s system as well as conduct cross-site scripting attacks.

– Google Desktop Cross-Site Scripting – Multiple vulnerabilities were discovered in Google Desktop that permit a remote attacker to conduct cross-site scripting attacks, allowing access to data on the user’s system.

– IBM Websphere HTTP Response Splitting – Versions of IBM Websphere are vulnerable to HTTP Response splitting attacks, leaving open the possibility of poison Web caches, spoof content or conduct cross-site scripting attacks.

– Lotus Domino Web Access Cross-Site Scripting – The Active Content Filter feature failed to properly filter script code from user-supplied input within e-mail messages prior to displaying those messages to the user. As a result, a remote attacker could cause arbitrary script code to execute in a victim’s browser by sending a maliciously crafted e-mail message.

– PHP Nested Array Denial of Service – In PHP processing, a recursion bug of deeply nested arrays can allow a remote attacker to conduct a denial of service attack against PHP installations, which could lead to a server crash.

– PHP Multiple Buffer Overflows and Denial of Service – Multiple vulnerabilities included several severe vulnerabilities that could allow a remote attacker to execute arbitrary code on affected servers.

– IBM Rational ClearQuest Cross-Site Scripting – A cross-site scripting vulnerability in IBM Rational ClearQuest Web 7.0.0.0 allows remote attackers to inject arbitrary script code via an attachment to defect log submission.

– Sun Java Access Manager Multiple Vulnerabilities – Multiple cross-site scripting vulnerabilities were reported in the Sun Java Access Manager allowing remote hackers the ability to inject HTML as well as other forms of script code and perform privilege escalation via session cookie theft as well as various content spoofing and other browser-based attacks.

– Apache Tomcat Buffer Overflow – A buffer overflow in the Apache Tomcat JK Web Server Connector allows a remote attacker to execute code on any server running a vulnerable version of Apache Tomcat.

– BEA WebLogic Buffer Overflow and Multiple Vulnerabilities – Multiple vulnerabilities were discovered, ranging from remote code execution via buffer overflows through various denial of service and information disclosure attacks.

As part of the study, Cenzic incorporated findings from Cenzic ClickToSecure, their leading-edge security assessment and penetration testing service (SaaS), and research from Cenzic Intelligent Analysis (CIA) Labs. Some of the key findings from include:

– More than seven of 10 analyzed Web applications engaged in insecure communication practices that could potentially lead to the exposure of sensitive or confidential user information during transactions.

– Architectural flaws, design flaws and insecure application configurations are still common culprits in the exposure of sensitive user information.

-Cross-site scripting was the most common injection flaw, with seven out of 10 Web applications vulnerable to this type of attack.

– Roughly two in every 10 applications were found to be vulnerable to SQL injection attacks.

– Approximately 50 percent of all applications failed to properly implement structured exception handling.

– More than 70 percent of all Web forms analyzed were vulnerable to cross-fame scripting attacks.