5 Overlooked Open Source Vulnerabilities
ByBy now you have probably read about the open source report the Homeland Security team released. It showcases the vulnerabilities found in open source programs. The third party company behind this report Palamida has released their Top 5 most overlooked flaws.
Palamida makes it known that these vulnerabilities have already been fixed but many companies have not patched the problems yet. So for the sake of fellow Web Developers and Hosters alike I will list the top 5 here and where to go to patch them.
Special thanks to the Palamida team and their blog. You can find the original post of this at "The Top 5 Most Overlooked Open Source Vulnerabilities for 2007"
These are listed in alphabetical order since there is nor order by severity in these top 5.
1. Apache Geronimo
The login method used in the LoginModule does not used FailedLoginExceptions for failed logins. This can allow attackers to strong arm their way into administrative access and bypass authentication requirements. They do this using a blank username and password and use a command line deployer. And while we are on the subject, if your Web site has an authentication section make sure you use error code and command line removal in your authentication routine so they cannot use the same stuff on your site.
To fix this problem simply download the Apache patch.
2. JBOSS Application Server
A vulnerability in the DeploymentFileRespository class allows remote authenticated users to red or modify files.
To fix this problem download the JBOSS patch.
3. LibTIFF
TIFF library before version 3.8.2 allows attacters to pass numeric range checks and possibly execute code or cause overflows.
This requires a simple patch or the use of the latest version. For the patch, download the following patch.
4. Net-SNMP
snmp_api.c in snmpd in Net-SNMP 5.2.x before 5.2.2, 5.1.x before 5.1.3, and 5.0.x before 5.0.10.2, when running in master agentx mode, allows attackers to cause a denial of service which can TCP disconnect.
The issue has been resolved in 5.1.3, 5.2.2, and 5.3. If you require an older version use the following patch.
5. Zlib
Zlib 1.2 or later versions allow an attacker to cause denial of service using compressed stream, which leads to a buffer overflow.
Simply upgrade to a later version such as 1.2.3. To get the new version download it here.
Just because software has a vulnerability doesn’t mean it should be abandoned. Just about everything nowadays has vulnerabilities. We simply need to be vigilant when it comes to keeping our sites secure. Along with downloading these patches be sure to check your code for XSS vulnerabilities and the like. All forms that access your database should be secured by removing program code from the input boxes and adding an image check or similar. Image checks prevent bots from accessing your vital areas and force attackers to code by hand.
Hope this all helps and till next time, happy hosting.