Application Security

Apache Access Vulnerability Could Affect Thousands of Applications

A recently discovered issue with a common file access method could be a major new attack surface for malware authors.

Vulnerabilities in Apache functions have been at the root of significant breaches, including the one suffered by Equifax. Now new research indicates that another such vulnerability may be putting thousands of applications at risk.

Lawrence Cashdollar, a vulnerability researcher and member of Akamai's Security Incident Response Team, found an issue with the way that thousands of code projects are using Apache .htaccess, leaving them vulnerable to unauthorized access and a subsequent file upload attack in which auto-executing code is uploaded to an application.

The problem, Cashdollar said, is that .htaccess functionality was turned off by default beginning in Apache Version 2.3.9 – though for good reasons. "It turns out that it was a performance hit for the Apache server," he told Dark Reading, explaining that every time a directory was opened, a call to the files in .htaccess would result.

Even more serious, he said, were the security implications. "Users could use this .htaccess access to override security controls for the server itself or the server configuration itself," Cashdollar said. "So it was a security feature that could be misused."

A security vulnerability is born, Cashdollar said, when a developer looks at very old documentation and uses .htaccess for authentication instead of one of the methods now suggested by the Apache Foundation. "It's going to silently fail" when called, he said, returning no error message and allowing free access.

Cashdollar said he got a feeling for the scope of the vulnerability when he explored a software project by Blueimp called jQuery File Upload. It is a frequently used file upload widget that allows many file types to be uploaded to a website built with a number of different programming languages.

jQuery File Upload is popular. "The project in GitHub has 7,800 clones of it or forks," Cashdollar said. "So there are at least 7,800 derivatives of this vulnerable code out there." GitHub allowed him to see 1,000 of these forks, and he hand-checked dozens; all were vulnerable.

When the vulnerability was reported to Blueimp, the issue was confirmed and a patch applied to the main fork. Other forks remain vulnerable until a patch is applied or a different authentication method is used in the application.

In a GitHub project explaining CVE-2018-9206 (the designation now given the vulnerability), Cashdollar shows how an exploit could work. He also notes that exploits of this vulnerability have appeared in the wild — which isn not a secret to the hacking community.

Cashdollar's blog post explaining his research on this vulnerability outlines the research process and the vulnerability's implications. "Unfortunately, there is no way to accurately determine how many of the projects forked from jQuery File Upload are being properly maintained and applying changes as they happen in the master project," he wrote. "Also, there is no way to determine where the forked projects are being used in production environments, if they’re being used in such a way. Moreover, older versions of the project were also vulnerable to the file upload issue, going back to 2010."

For developers, the implication is clear: Review changes to the systems and libraries used in projects, and make sure that all are being used and configured in ways that permit them to do the job they're called to perform in the application.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.