10 Jun 2008
Security experts have warned of a critical bug in the standard web authorisation technology used by hundreds of thousands of websites.
Fortify Software has identified a problem with the VBAAC (Verb-based access and authentication control) aspect of web security technology which affects a number of different products.
The flaw allows hackers to manipulate the http: verb to bypass otherwise effective security controls.
Rob Rachwald, director of product marketing at Fortify, said: "The flaw is unusual in being systemic and therefore not directed at any one vendor's products."
The flaw is essentially "a bug in a security feature", according to Rachwald, and the most popular J2EE container applications all have the flaw inherent in their authorisation procedures.
"For example, a piece of http: code might seek to limit access to a given directory except for those users logged in with Admin rights," he said.
"Exploiting the flaw means that, instead of blocking approaches not specified in a security rule, the code allows almost any method that is not specified.
"Using this approach leaves the system open to infection by malware, or perhaps worse. By listing specific methods in the security rule, software developers end up opening the system a lot wider than they originally intended. "
The flaw can be prevented by programming the web and application server system to disallow non-standard requests such as 'Head', as well as never serving the JSPs directly but placing all JSP-INF files into a container (e.g. Web-Inf) and limiting calls to that container.
"Direct calls to JSPs should be avoided if at all possible. Developers should always invoke the request from the environment they are expected to be in and not from a dictionary collection of request data," said Rachwald.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Electronics Engineer, Real Time Control Systems Engineer...
Electronics Software Engineer - C - Control Systems Programming...
I'm looking for a Software Developer that will report...
A Principal ETL Consultant with expertise in IBM InfoSphere...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Worthless
Wow .... verb based security is insecure ? Is this article for real ?
Posted by: Jeff 10 Jun 2008