Hacker
Hackers could manipulate the http: verb to bypass otherwise effective security controls

Bug exposed in web security standard

VBAAC flaw could affect hundreds of thousands of sites

Robert Jaques

Security experts have warned of a critical bug in the standard web authorisation technology used by hundreds of thousands of websites.

Fortify Software has identified a problem with the VBAAC (Verb-based access and authentication control) aspect of web security technology which affects a number of different products.

Advertisement

The flaw allows hackers to manipulate the http: verb to bypass otherwise effective security controls.

Rob Rachwald, director of product marketing at Fortify, said: "The flaw is unusual in being systemic and therefore not directed at any one vendor's products."

The flaw is essentially "a bug in a security feature", according to Rachwald, and the most popular J2EE container applications all have the flaw inherent in their authorisation procedures.

"For example, a piece of http: code might seek to limit access to a given directory except for those users logged in with Admin rights," he said.

The flaw is unusual in being not directed at any one vendor's products

Rob Rachwald Fortify Software

"Exploiting the flaw means that, instead of blocking approaches not specified in a security rule, the code allows almost any method that is not specified.

"Using this approach leaves the system open to infection by malware, or perhaps worse. By listing specific methods in the security rule, software developers end up opening the system a lot wider than they originally intended. "

The flaw can be prevented by programming the web and application server system to disallow non-standard requests such as 'Head', as well as never serving the JSPs directly but placing all JSP-INF files into a container (e.g. Web-Inf) and limiting calls to that container.

"Direct calls to JSPs should be avoided if at all possible. Developers should always invoke the request from the environment they are expected to be in and not from a dictionary collection of request data," said Rachwald.

  • Have your say
  • Send to a friend
  • Print
  • Digg
  • Reddit
  • Share

Tags:

Do you agree?

Related whitepapers

Related jobs

Most watched

Social networking

Summit: How businesses should manage their brands online

In part one of V3.co.uk's interview with Dirk Singer, he dicusses social media monitoring strategies

RIM discusses new developer tools

Blackberry exec on the latest offerings for programmers

Analysis and Reports

Remote access - Three steps to getting connected

3.4 million UK professionals now work from home – is your company equipped?

Cost benefits of a global collaboration network

This white paper is a must read for organisations looking for evidence of the bottom-line benefits of high-definition video and voice communications

Poll

Impact of Information Overload poll

Impact of Information Overload poll

What is the biggest problem your firm faces as a result of the data explosion?

View poll results

Advertisement

White paper library

Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Enter email address to edit your newsletter preferences

Job of the week

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Hiring now on ComputingCareers:

Related IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Advertisement

Spotlight

Summit: IBM's Nick Davis on collaboration

IBM's collaboration technologist outlines tools that can aid working together

Summit video: Alcatel-Lucent on network impact of information overload

Alcatel-Lucent's Neal Tilley discusses how firms can cope with the...

simon perry

Comment: Information overload is a price worth paying if it helps the planet

Analyst Simon Perry argues that the data deluge doesn't have...

police car

Microsoft confirms Cofee spill

Software giant asks users not to download its forensics tool

Primary Navigation