Security experts have warned of a critical bug in the standard web authorisation technology used by hundreds of thousands of websites.
Fortify Software has identified a problem with the VBAAC (Verb-based access and authentication control) aspect of web security technology which affects a number of different products.
The flaw allows hackers to manipulate the http: verb to bypass otherwise effective security controls.
Rob Rachwald, director of product marketing at Fortify, said: "The flaw is unusual in being systemic and therefore not directed at any one vendor's products."
The flaw is essentially "a bug in a security feature", according to Rachwald, and the most popular J2EE container applications all have the flaw inherent in their authorisation procedures.
"For example, a piece of http: code might seek to limit access to a given directory except for those users logged in with Admin rights," he said.
"Exploiting the flaw means that, instead of blocking approaches not specified in a security rule, the code allows almost any method that is not specified.
"Using this approach leaves the system open to infection by malware, or perhaps worse. By listing specific methods in the security rule, software developers end up opening the system a lot wider than they originally intended. "
The flaw can be prevented by programming the web and application server system to disallow non-standard requests such as 'Head', as well as never serving the JSPs directly but placing all JSP-INF files into a container (e.g. Web-Inf) and limiting calls to that container.
"Direct calls to JSPs should be avoided if at all possible. Developers should always invoke the request from the environment they are expected to be in and not from a dictionary collection of request data," said Rachwald.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago