Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Apache Access Vulnerability Could Affect Thousands of Applications

A recently discovered issue with a common file access method could be a major new attack surface for malware authors.

Vulnerabilities in Apache functions have been at the root of significant breaches, including the one suffered by Equifax. Now new research indicates that another such vulnerability may be putting thousands of applications at risk.

Lawrence Cashdollar, a vulnerability researcher and member of Akamai's Security Incident Response Team, found an issue with the way that thousands of code projects are using Apache .htaccess, leaving them vulnerable to unauthorized access and a subsequent file upload attack in which auto-executing code is uploaded to an application.

The problem, Cashdollar said, is that .htaccess functionality was turned off by default beginning in Apache Version 2.3.9 – though for good reasons. "It turns out that it was a performance hit for the Apache server," he told Dark Reading, explaining that every time a directory was opened, a call to the files in .htaccess would result.

Even more serious, he said, were the security implications. "Users could use this .htaccess access to override security controls for the server itself or the server configuration itself," Cashdollar said. "So it was a security feature that could be misused."

A security vulnerability is born, Cashdollar said, when a developer looks at very old documentation and uses .htaccess for authentication instead of one of the methods now suggested by the Apache Foundation. "It's going to silently fail" when called, he said, returning no error message and allowing free access.

Cashdollar said he got a feeling for the scope of the vulnerability when he explored a software project by Blueimp called jQuery File Upload. It is a frequently used file upload widget that allows many file types to be uploaded to a website built with a number of different programming languages.

jQuery File Upload is popular. "The project in GitHub has 7,800 clones of it or forks," Cashdollar said. "So there are at least 7,800 derivatives of this vulnerable code out there." GitHub allowed him to see 1,000 of these forks, and he hand-checked dozens; all were vulnerable.

When the vulnerability was reported to Blueimp, the issue was confirmed and a patch applied to the main fork. Other forks remain vulnerable until a patch is applied or a different authentication method is used in the application.

In a GitHub project explaining CVE-2018-9206 (the designation now given the vulnerability), Cashdollar shows how an exploit could work. He also notes that exploits of this vulnerability have appeared in the wild — which isn not a secret to the hacking community.

Cashdollar's blog post explaining his research on this vulnerability outlines the research process and the vulnerability's implications. "Unfortunately, there is no way to accurately determine how many of the projects forked from jQuery File Upload are being properly maintained and applying changes as they happen in the master project," he wrote. "Also, there is no way to determine where the forked projects are being used in production environments, if they’re being used in such a way. Moreover, older versions of the project were also vulnerable to the file upload issue, going back to 2010."

For developers, the implication is clear: Review changes to the systems and libraries used in projects, and make sure that all are being used and configured in ways that permit them to do the job they're called to perform in the application.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.