Application Security

Apache Access Vulnerability Could Affect Thousands of Applications

A recently discovered issue with a common file access method could be a major new attack surface for malware authors.

Vulnerabilities in Apache functions have been at the root of significant breaches, including the one suffered by Equifax. Now new research indicates that another such vulnerability may be putting thousands of applications at risk.

Lawrence Cashdollar, a vulnerability researcher and member of Akamai's Security Incident Response Team, found an issue with the way that thousands of code projects are using Apache .htaccess, leaving them vulnerable to unauthorized access and a subsequent file upload attack in which auto-executing code is uploaded to an application.

The problem, Cashdollar said, is that .htaccess functionality was turned off by default beginning in Apache Version 2.3.9 – though for good reasons. "It turns out that it was a performance hit for the Apache server," he told Dark Reading, explaining that every time a directory was opened, a call to the files in .htaccess would result.

Even more serious, he said, were the security implications. "Users could use this .htaccess access to override security controls for the server itself or the server configuration itself," Cashdollar said. "So it was a security feature that could be misused."

A security vulnerability is born, Cashdollar said, when a developer looks at very old documentation and uses .htaccess for authentication instead of one of the methods now suggested by the Apache Foundation. "It's going to silently fail" when called, he said, returning no error message and allowing free access.

Cashdollar said he got a feeling for the scope of the vulnerability when he explored a software project by Blueimp called jQuery File Upload. It is a frequently used file upload widget that allows many file types to be uploaded to a website built with a number of different programming languages.

jQuery File Upload is popular. "The project in GitHub has 7,800 clones of it or forks," Cashdollar said. "So there are at least 7,800 derivatives of this vulnerable code out there." GitHub allowed him to see 1,000 of these forks, and he hand-checked dozens; all were vulnerable.

When the vulnerability was reported to Blueimp, the issue was confirmed and a patch applied to the main fork. Other forks remain vulnerable until a patch is applied or a different authentication method is used in the application.

In a GitHub project explaining CVE-2018-9206 (the designation now given the vulnerability), Cashdollar shows how an exploit could work. He also notes that exploits of this vulnerability have appeared in the wild — which isn not a secret to the hacking community.

Cashdollar's blog post explaining his research on this vulnerability outlines the research process and the vulnerability's implications. "Unfortunately, there is no way to accurately determine how many of the projects forked from jQuery File Upload are being properly maintained and applying changes as they happen in the master project," he wrote. "Also, there is no way to determine where the forked projects are being used in production environments, if they’re being used in such a way. Moreover, older versions of the project were also vulnerable to the file upload issue, going back to 2010."

For developers, the implication is clear: Review changes to the systems and libraries used in projects, and make sure that all are being used and configured in ways that permit them to do the job they're called to perform in the application.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6345
PUBLISHED: 2019-01-15
The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all s...
CVE-2018-7603
PUBLISHED: 2019-01-15
In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered t...
CVE-2019-3554
PUBLISHED: 2019-01-15
Wangle's AcceptRoutingHandler incorrectly casts a socket when accepting a TLS 1.3 connection, leading to a potential denial of service attack against systems accepting such connections. This affects versions of Wangle prior to v2019.01.14.00
CVE-2019-3557
PUBLISHED: 2019-01-15
The implementations of streams for bz2 and php://output improperly implemented their readImpl functions, returning -1 consistently. This behavior caused some stream functions, such as stream_get_line, to trigger an out-of-bounds read when operating on such malformed streams. The implementations were...
CVE-2019-0030
PUBLISHED: 2019-01-15
Juniper ATP uses DES and a hardcoded salt for password hashing, allowing for trivial de-hashing of the password file contents. This issue affects Juniper ATP 5.0 versions prior to 5.0.3.