When it comes to network security there are several things one must address. Patch management will take care of any vulnerability that the vendor is aware of and has issued a patch for, but it will do nothing for vulnerabilities for which a patch is still in development or the vendor chose not to fix at all. Furthermore, not all vulnerabilities are caused by software bugs and therefore they cannot be fixed by a patch. Some vulnerabilities are due to bad configurations and that is when a vulnerability scanner becomes an important asset. A good vulnerability scanner will also give you the necessary tools to address said vulnerabilities. This is how one should typically go about the process:
1. Identification
Once the vulnerabilities on the network are identified, the administrator then needs to split the list of vulnerabilities into those that can be addressed through patch management and those which require manual intervention. A good vulnerability scanner will generally make this distinction.
2. Understanding the Vulnerabilities
By reading the information that a vulnerability scanner provides about a particular vulnerability that has been detected, an administrator might be able to ascertain the scope of that vulnerability. For example, having AutoRun enabled on the system is one potential vulnerability. Since AutoRun is generally associated with CD/DVD drives, an administrator might dismiss this as unimportant if the machine on which the vulnerability was identified has no CD/DVD drive. However, the administrator will discover after reading the scanner’s information on that vulnerability that it also applies to removable media. This means that the vulnerability is a realistic threat and applicable to the current environment and thus action needs to be taken.
3. Resolving vulnerabilities
Vulnerabilities are harder to deal with when a simple patch is not the solution. The easiest way to deal with vulnerabilities is generally to disable or remove the software in question but this is not always possible (at least not in a way that does not disrupt the business). A good vulnerability scanner will provide enough information to the administrator on how to rectify the specific vulnerability.
This is generally done by carrying out additional research on the vulnerability itself and what other people did to solve the problem. A good vulnerability scanner will provide various reference numbers on every vulnerability it discovers. There are a number of public vulnerability databases that make use of these reference numbers and through these databases you can find details on what is causing the issue and the steps on how to resolve it. These public vulnerability databases include:
CVEs: Common Vulnerabilities and exposure Database
BIDs: Reference information provided by security Focus
MS BIDL: Microsoft Security Bulletin
Apart from the above resources, searching for the specific ID in any search engine should give you plenty of resources and forum discussions showing how other people went about securing their systems against the specific vulnerability.
Due to the nature of vulnerabilities and the countless variations of setups, dealing with vulnerabilities is a little harder than simply deploying patches; however, a good vulnerability scanner will give you all the necessary tools to detect and research vulnerabilities that affect your system. It’s important not to let the added complexity dishearten you from properly securing your environment. Remember, as with everything in security, all it takes is one weak link to render all your hard work null and void. An attacker only needs to compromise one weakness to gain unauthorized access to your system.
This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging need. Learn more on what to look out for when choosing a vulnerability scanner.
All product and company names herein may be trademarks of their respective owners.
Guest Post: Many thanks to Sarah Spiteri from GFI Software (http://gfi.com) for contribution.
What is SQL Injection
Most new web developers have heard of SQL injection attacks, but not very many know that it is fairly easy to prevent an attacker from gaining access to your data by filtering out the vulnerabilities using MySQL extensions found in PHP. An SQL injection attack occurs when a hacker or cracker (a malicious hacker) attempts to dump the data in a database table in a database-driven web site. In an unprotected and vulnerable site, this is pretty easy to do.
SQL injection is a common vulnerability that is the result of lax input validation. Unlike cross-site scripting vulnerabilities that are ultimately directed at your site’s visitors, SQL injection is an attack on the site itself, in particular its database.
The goal of SQL injection is to insert arbitrary data, most often a database query, into a string that’s eventually executed by the database. The insidious query may attempt any number of actions, from retrieving alternate data, to modifying or removing information from the database.
How does SQL injection attack works
In order for an SQL injection attack to work, the site must use an unprotected SQL query that utilizes data submitted by a user to lookup something in a database table. The data could be from a search box, a login form or any type of query used to look up data using data input by user. It also means that querystring data used to query a database can create vulnerabilities.
For example:
An very simple unprotected query might look like this:
SELECT * FROM items WHERE itemID = '$itemID'
Normally, you would expect a user to submit a username and password, which would be used to query the database table to see if the username and password exists. But what if someone used the following instead of a password?
‘ OR ‘1′ = ‘1
That would make the query used to look for the password look like this:
SELECT * FROM items WHERE itemID = '' OR '1' = '1'
This would always return a True response and could literally display the entire table as the result for the query. This is a pretty scary thought if you are trying to keep your data secure. The problem with SQL injection is that a hacker does not have to know anything about your database or table structure.
What if an error or some other issue caused your table structure to be exposed? Hackers are very good at forcing errors to occur that expose information that allows them to penetrate a site deeper. What if the following was entered in the password field?
‘; drop table users;
How to prevent your database from SQL Injection attacks
There is a method for filtering the data that is used on the right side of the WHERE clause to look up a row in a database. The trick is to escape any characters that may be in the user input portion of the query that could lead to a successful attack.
Use the following function to add backslashes to suspect characters and filter any data that is input by a user.
function cleanQuery($string)
{
if(get_magic_quotes_gpc()) // prevents duplicate backslashes
{
$string = stripslashes($string);
}
if (phpversion() >= '4.3.0')
{
$string = mysql_real_escape_string($string);
}
else
{
$string = mysql_escape_string($string);
}
return $string;
}
// if you are using form data, use the function like this:
if (isset($_POST['itemID'])) $itemID = cleanQuery($_POST['itemID']);
// you can also filter the data as part of your query:
SELECT * FROM items WHERE itemID = '". cleanQuery($itemID)."' "
The first part looks to see if magic quotes is turned on. if so, it may have already added backslash escapes though a POST or GET method used to pass the data. If backslashes were added, they need to be removed prior to running it through the rest of the function.
The next part checks the PHP version. The built-in function that we want to use is called mysql_real_escape_string. This MySQL function only exists in PHP version 4.3.0 or newer. If you are using an older version of PHP, another MySQL function is used called mysql_escape_string.
mysql_escape_string is not as effective as the newer mysql_real_escape_string. The newer version escapes the string according to the current character set. The character set is ignored by mysql_escape_string, which can leave some vulnerabilities ope for sophisticated hackers. If you find that you are using an older version of PHP and you are trying to protect sensitive data, you really should upgrade to a current version of either PHP 4 or PHP 5.
So what does mysql_real_escape_string do?
This PHP library function prepends backslashes to the following characters: \n, \r, \, \x00, \x1a, ‘ and “. The important part is that the single and double quotes are escaped, because these are the characters most likely to open up vulnerabilities.
For those who do not know what an escape is, it is a character that is pre-pended to another character. When a character is escaped, it is ignored by the database. In other words, it makes that character ineffective in a query. In the case of PHP, an escaped character is treated differently by the PHP parser. The standard escape character used by PHP and MySQL is the backslash.
In the case of the SQL query example used above, after running it through the routine, it now looks like this, which breaks the query :
SELECT * FROM items WHERE itemID = '\' OR \'1\' = \'1'
This method should stop the bulk of the SQL injection attacks, but crackers and hackers are very creative and are always finding new methods to break into systems. There are additional steps that can be taken to filter out certain words, such as drop, grant, union, etc., but using this method will strip these words from searches performed by you users. However, if you want to add another level of security and do not have an issue with certain words being deleted from queries, you can add the following just before if (phpversion() >= ‘4.3.0′).
This additional step should prevent a malicious attacker from damaging a database if they found a way to slip through. Just remember that is you take this additional step and you have a site where someone might search for a “plumbing union” or a “drop cloth”, those queries would not work as intended. If you are wondering what the trailing ‘i’ is following each word in the array, it is required to make the preg_replace replacements case insensitive. This wasn’t needed with eregi_replace, but that function has been deprecated in PHP 5.3.
Another important step that needs to be taken with any database is controlling user privileges. When setting up a MySQL user, you should never assign any more privileges than they actually need to accomplish the tasks that you allow on your site. Privileges are easily assigned and managed thought phpMyAdmin, which is found in the the control panel (cPanel, Plesk, etc.) for most hosting companies.
There are many different antivirus and anti-malware protection programs available, ranging in price from free, to several hundred dollars, depending upon their sophistication and scope of use. It is critically important that anyone that connects to the internet has adequate protection against possible infections by viruses, trojans, worms, and various malware that circulate so prolifically these days.
There is an adage that says, “If a little bit is good, then a lot is better”. However, in the case of virus protection, this is normally not true (in fact, in my experience, NEVER). Although it may be permissible to run more than one anti-malware protection program at a time, one should have only one antivirus program operating at any given time. There are reasons for this.
Two different AV programs will often conflict, seeing each other as a virus, because of the nature of their operation. Thus, when one program succeeds in stifling the activities of the other, a window of opportunity for an actual virus may be created. More often, each will manage to limit the effectiveness of the other, thus creating a weakness that can be exploited. “Loops” can be created, wherein two AV programs will endlessly fight each other for control of a given function, leaving that function effectively unprotected. More is NOT better!
One should select their protection carefully, giving thought to the particular sorts of risks they make themselves vulnerable to by their surfing style. As a member of many web professional forums, I prefer to make my selection, after hearing the recommendations of others. I also have found that for my purposes, there is no need to purchase such a program.
There are a number of very effective AV programs, written and maintained by reputable organizations, that can be downloaded and installed at no charge. I presently use Avast, which I feel to be on a par with Avira, in terms of effectiveness in the AV realm. Both also offer enhanced versions for purchase, and have products that specialize in other levels of protection. Kaspersky is another system that has an excellent track record for protection.
Most such products offer a free evaluation period, up to a month, to see if their program does the job you want. I usually warn people away from such evaluation periods, however, simply because some such programs are difficult to remove completely (Symantec’s Norton is one that’s notoriously difficult to get rid of) from your system.
There are a few things that should be remembered, when searching for the best AV program for your system:
NO AV program is perfect! Some are better than others, but new exploits are released almost daily, and your protection is only as good as its relevancy. If it updates virus definitions weekly, then you may be vulnerable to new viruses for several days between updates.
The sort of experts that are capable of developing protection against viruses have their doppelgangers on the other side of the coin… those that develop the viruses to begin with. Both are good at what they do, and at any given moment, one will be a step ahead of the other.
Realtime scanning is an important feature to seek in your AV protection. Scanning emails and downloads is important, but viruses and malware can be activated by the simple act of clicking on a text link, an image or opening an attachment. Just entering a page can enable an infection, without sufficient protection.
The best AV protection available cannot do the job alone. YOU have to take an active part in protecting your system. If you frequent poor reputation sites, hang out in “bad neighborhoods”, the infection of your computer is made much more probable, regardless of the AV protection you run.
AV protection is only one aspect of protection. A reliable firewall and adequate anti-spyware protection are other important protections that should be considered. I suggest you investigate what security bloggers and forum members have to say about the AV protection they have used or are using. A satisfied customer is always a good reference. Seofast
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
Microsoft released ASP.net Vulnerability path through Download centre, for details please click here.
This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.
This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection,Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues.Microsoft Knowledge Base Article 2418042 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
Earlier this week We posted about an ASP.NET Vulnerability.
Microsoft is actively working on releasing a security update that fix the issues ready for broad distribution across all Windows platforms via Windows Update. We’ll post details about this once it is available.
Revised Workaround and Additional URLScan Step
In our first community post we covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure.
This additional step can be done at a server-wide level, and should take less than 5 minutes to implement. Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it.
Install and Enable IIS URLScan with a Custom Rule
If you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:
It takes less than a minute to install on your server.
Add an Addition URL Scan Rule
Once URLScan is installed, please open and modify the UrlScan.ini file in this location:
%windir%\system32\inetsrv\urlscan\UrlScan.ini
Near the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:
[DenyQueryStringSequences]
aspxerrorpath=
The above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.
After saving this change:
run “iisreset”
from a command prompt (elevated as admin
For the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS. URL Scan Summary
If you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.
Our team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability. Until that update is available, you can use the above workaround to help prevent attackers from using the vulnerability against your applications.
Once we release the security update, you will no longer need to implement any workaround steps.
The alternative option: Using IIS request filtering:
These instructions are an alternative for the UrlScan instructions above for systems running IIS on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2.
1. Install the Request Filtering feature in IIS through either Add/Remove Programs or Role Manger by selecting the feature under Internet Information Services, World Wide Web Services, Security.
2. Launch Internet Information Services (IIS) Manager.
3. Select the server node in the left pane.
4. Double-click Request Filtering.
5. Select the Query Strings tab and click Deny Query String … in the Actions pane.
6. Enter aspxerrorpath= in the dialog box and select OK.
Alternatively, you can also use the following appcmd command to set this request querystring:
appcmd set config /section:requestfiltering /+denyQueryStringSequences.[sequence='aspxerrorpath=']
Configure ASP.Net applications to use uniform custom errors
In the root folder of each ASP.NET web application, determine if you already have a web.config file in this folder. You must have rights to create a file in the target directory to implement this workaround.
If the ASP.NET application does not have a web.config file:
On .NET Framework 3.5 and earlier
1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:
2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.
On .NET Framework 3.5 Service Pack 1 and later
1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:
2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx
file:
<%@ Page Language=”C#” AutoEventWireup=”true” %>
<%@ Import Namespace=”System.Security.Cryptography” %>
<%@ Import Namespace=”System.Threading” %>
<script runat=”server”>
void Page_Load()
{
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if (disposable != null)
{
disposable.Dispose();
}
}</script>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head runat=”server”>
<title> </title>
</head>
<body>
<div> An error occurred while processing your request. </div>
</body>
</html>
3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:
<%@ Page Language=”VB” AutoEventWireup=”true” %>
<%@ Import Namespace=”System.Security.Cryptography” %>
<%@ Import Namespace=”System.Threading” %>
<script runat=”server”>
Sub Page_Load()
Dim delay As Byte() = New Byte(0)
{
}
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()
prng.GetBytes(delay)
Thread.Sleep(CType(delay(0), Integer))
Dim disposable As IDisposable = TryCast(prng, IDisposable)
If
Not disposable Is Nothing
Then
disposable.Dispose()
End IfEnd Sub
</script>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head runat=”server”>
<title></title>
</head>
<body>
<div> An error occurred while processing your request. </div>
</body>
</html>
If the ASP.NET application already has a web.config file:
On .NET Framework 3.5 RTM and earlier
1. Insert the bracketed text in the sample below into your existing web.config file:
2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.
3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.
On .NET Framework 3.5 Service Pack 1 and later
1. Insert the bracketed text in the sample below into your existing web.config file:
2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx file:
<%@ Page Language=”C#” AutoEventWireup=”true” %>
<%@ Import Namespace=”System.Security.Cryptography” %>
<%@ Import Namespace=”System.Threading” %>
<script runat=”server”>
void Page_Load()
{
byte[] delay = new byte[1];
RandomNumberGenerator prng = new RNGCryptoServiceProvider();
prng.GetBytes(delay);
Thread.Sleep((int)delay[0]);
IDisposable disposable = prng as IDisposable;
if
(disposable != null)
{
disposable.Dispose();
}
}
</script>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head runat=”server”>
<title></title>
</head>
<body>
<div> An error occurred while processing your request. </div>
</body>
</html>
3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:
<%@ Page Language=”VB” AutoEventWireup=”true” %>
<%@ Import Namespace=”System.Security.Cryptography” %>
<%@ Import Namespace=”System.Threading” %>
<script runat=”server”>
Sub Page_Load()
Dim delay As Byte() = New Byte(0)
{
}
Dim prng As RandomNumberGenerator = New RNGCryptoServiceProvider() prng.GetBytes(delay)
Thread.Sleep(CType(delay(0), Integer))
Dim disposable As IDisposable = TryCast(prng, IDisposable)
If
Not disposable Is Nothing
Then
disposable.Dispose()
End If
End Sub
</script>
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head runat=”server”>
<title></title>
</head>
<body>
<div> An error occurred while processing your request. </div>
</body>
</html>
Impact of Workaround:
If an error occurs during a Web transaction, the Web clients will see the same generic error message on the server, regardless of what error actually occurs. Additionally, any requests for Web pages which contain the string aspxerrropath= in the querystring portion of the URL will be blocked, and an HTTP error message returned to the client.
You can learn more about this vulnerability and the workaround from:
