Application Security

10/18/2018
11:00 AM
50%
50%

Apache Access Vulnerability Could Affect Thousands of Applications

A recently discovered issue with a common file access method could be a major new attack surface for malware authors.

Vulnerabilities in Apache functions have been at the root of significant breaches, including the one suffered by Equifax. Now new research indicates that another such vulnerability may be putting thousands of applications at risk.

Lawrence Cashdollar, a vulnerability researcher and member of Akamai's Security Incident Response Team, found an issue with the way that thousands of code projects are using Apache .htaccess, leaving them vulnerable to unauthorized access and a subsequent file upload attack in which auto-executing code is uploaded to an application.

The problem, Cashdollar said, is that .htaccess functionality was turned off by default beginning in Apache Version 2.3.9 – though for good reasons. "It turns out that it was a performance hit for the Apache server," he told Dark Reading, explaining that every time a directory was opened, a call to the files in .htaccess would result.

Even more serious, he said, were the security implications. "Users could use this .htaccess access to override security controls for the server itself or the server configuration itself," Cashdollar said. "So it was a security feature that could be misused."

A security vulnerability is born, Cashdollar said, when a developer looks at very old documentation and uses .htaccess for authentication instead of one of the methods now suggested by the Apache Foundation. "It's going to silently fail" when called, he said, returning no error message and allowing free access.

Cashdollar said he got a feeling for the scope of the vulnerability when he explored a software project by Blueimp called jQuery File Upload. It is a frequently used file upload widget that allows many file types to be uploaded to a website built with a number of different programming languages.

jQuery File Upload is popular. "The project in GitHub has 7,800 clones of it or forks," Cashdollar said. "So there are at least 7,800 derivatives of this vulnerable code out there." GitHub allowed him to see 1,000 of these forks, and he hand-checked dozens; all were vulnerable.

When the vulnerability was reported to Blueimp, the issue was confirmed and a patch applied to the main fork. Other forks remain vulnerable until a patch is applied or a different authentication method is used in the application.

In a GitHub project explaining CVE-2018-9206 (the designation now given the vulnerability), Cashdollar shows how an exploit could work. He also notes that exploits of this vulnerability have appeared in the wild — which isn not a secret to the hacking community.

Cashdollar's blog post explaining his research on this vulnerability outlines the research process and the vulnerability's implications. "Unfortunately, there is no way to accurately determine how many of the projects forked from jQuery File Upload are being properly maintained and applying changes as they happen in the master project," he wrote. "Also, there is no way to determine where the forked projects are being used in production environments, if they’re being used in such a way. Moreover, older versions of the project were also vulnerable to the file upload issue, going back to 2010."

For developers, the implication is clear: Review changes to the systems and libraries used in projects, and make sure that all are being used and configured in ways that permit them to do the job they're called to perform in the application.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19220
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to execute arbitrary PHP code via the host parameter to the install/ URI.
CVE-2018-19221
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows SQL Injection via the admin/login.php guanliyuan parameter.
CVE-2018-19222
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows a /install/mysql_hy.php?riqi=0&i=0 attack to reset the admin password, even if install.txt exists.
CVE-2018-19223
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. It allows XSS via the first input field to the admin/type.php?id=1 URI.
CVE-2018-19224
PUBLISHED: 2018-11-12
An issue was discovered in LAOBANCMS 2.0. /admin/login.php allows spoofing of the id and guanliyuan cookies.