Top 10 vulnerabilities in Web applications in Q3 2007

Cenzic released their Application Security Trends Report for Q3, 2007. The report highlights the alarming trend among thousands of corporations and government agencies – the majority of them have yet to initiate any action in protecting their Web applications. The report is a thorough analysis of reported vulnerabilities, Web application probes, attack statistics and key findings, and emphasizes the top 10 vulnerabilities from published reports in Q3 2007. These include:

Bugzilla Webservice – A remote user can create a user account in Bugzilla using the Web service, even if the account creation has been disabled by the administrator, allowing for unauthorized users to gain access to data by creating the new account.

Sun Java System Access Manager – Sun Java System Access Manager 7.1, when installed in a Sun Java System Application Server 9.1 container, does not demand authentication after a container restart, allowing remote attackers to perform administrative tasks.

Rational Clearquest – The login page does not properly validate user-supplied input in the username field, allowing a remote user the ability to supply specially crafted parameter value to execute SQL commands on the underlying database which can be exploited to bypass authentication.

Tomcat Host Manager – Cross-site scripting (XXS) vulnerability in the Host Manager Servlet for versions of Apache Tomcat allows remote attackers to inject arbitrary HTML and Web script via crafted requests.

Apache mod-proxy – The date handling code in Apache 2.3.0, when using a threaded MPM, allows remote origin servers to cause a denial of service.

Java Runtime Environment – A vulnerability found in Java Runtime Environment 5.0 Update 9 and prior allows a remote user to cause arbitrary code to be executed on a target user’s system, allowing remote applets to gain elevated privileges.

Apache Tomcat – Versions of Apache Tomcat do not properly handle the backslash and single quote characters sequence in cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.

Sun Java Systems Web Server – Versions of Sun Java System Web Servers have a CRLF injection vulnerability in the redirect feature, allowing remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks.

IBM WebSphere Application Server – Multiple unspecified vulnerabilities in versions of IBM WebSphere Application Server have unknown impact and attack vectors.

Java Web Start JNLP – A Remote user can create a specially crafted JNLP file that, when loaded by the target user, will trigger a stack overflow and execute arbitrary code on the target system, which can be exploited automatically via a maliciously crafted Web page.