Search This Blog

Showing posts with label Apache Vulnerability. Show all posts

Apache Httpd 2.4.39 Fixed the Flaw Which Let Users Gain Root Access



A vulnerability in the Apache HTTP server which allows users to write and run scripts in order to gain root on Unix systems was patched in Apache httpd 2.4.39 release.

According to the changelog which was tracked as CVE-2019-0211, all Apache HTTP Server releases were impacted, starting from 2.4.17 to 2.4.38. Additionally, the execution of arbitrary code through scoreboard manipulation has also been made possible.

As the web server is employed for running shared hosting instances, Mark J. Cox, Apache Software Foundation and the OpenSSL project founding member, emphasized on the seriousness of the issue in a Twitter post he made about CVE-2019-0211 security issue.

Users with few permissions on the server would now be able to extend the privileges by making the use of scripts which run commands on defenseless Apache servers as root, Cox further explained.

Along with this major flaw, two other control bypass security vulnerabilities were also patched with the Apache HTTP Server 2.4.39 release.

Besides these three, the latest Apache httpd release also fixed three less severe flaws which potentially could have led to normalization inconsistency issues and crashes.

The privilege escalation vulnerability of significant severity was reported by a security engineer on February 22 along with a response and reportedly a fix have been provided by Apache on March 7.





Security flaw in India Post server revealed by researcher

French security researcher Robert Baptiste who goes by Elliot Anderson on Twitter has been revealing cybersecurity flaws in the Indian scene for a while now. This time, he has reported a vulnerability on the India Post server that allows remote code execution.

Baptiste has in fact reported this flaw in place of an Indian researcher who chose to remain anonymous because of legal implications in face of Indian law.

The subdomain of India Post — digitization.indiapost.gov.in — was vulnerable to an Apache vulnerability i.e. CVE 2017-5638. It meant that the attacker would be able to run code on India Post server, as shown below:




The flaws led to exposed bank details of employees as well as databases of sensitive information. He posted several screenshots of the files he was able to access by exploiting the flaw.


He also revealed that he was not the first person to exploit these flaws and posted screenshots that show activity from almost a year ago on 14th April, 2017.


The vulnerability has since been fixed, leading to Elliot Anderson tweeting out the details of this recent hack.



NIC uses vulnerable Apache version, results in "Expect header XSS" vulnerability


The hackers who recently defaced Top level Domains of Turkmenistan by exploiting the vulnerability in NIC.tm, has discovered another vulnerability in the website.

They found that the few NIC websites uses the vulnerable version of Apache server(version 1.3.33) .   The version has a security flaw that exists in the handling of invalid Expect headers. Modifying the Expect header value to XSS code results in Cross site scripting attack.

GET / HTTP/1.1
Expect: <script>alert("E Hacking News")</script>
Host: nic.tm
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*

Expect Header xss attack


The vulnerability affects four NIC websites : www.nic.ac, www.nic.tm ,www.nic.io,www.nic.sh.

There is another important security flaw in the Apache server : Mod_rewrite which is vulnerable to buffer overflow(Vulnerability Details). 

Vulnerability in Millions of LaserJet printers allows remote Hacking

A Vulnerability in Millions of LaserJet printers allows remote hacker to install/execute malicious firmware , discovered by Researchers At Columbia University.  They discovered this vulnerability in HP Lasterjet printers, perhaps on other firms’ printers, too.

"Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for criminals, making it easy to commit identity theft or even take control of entire networks that would otherwise be secure?"

Interestingly , an attacker can make physical damage to victims' printer remotely using this vulnerability. Unfortunately, there is no easy fix for this vulnerability and there's no way to tell if hackers have already exploited it.

The researcher reported to HP( Hewlett-Packard) about this security flaw last week. HP said Monday that it is still reviewing details of the vulnerability, and is unable to confirm or deny many of the researchers’ claims, but generally disputes the researchers’ characterization of the flaw as widespread.

Keith Moore, chief technologist for HP's printer division, said the firm "takes this very seriously,” but his initial research suggests the likelihood that the vulnerability can be exploited in the real world is low in most cases.

“Until we verify the security issue, it is difficult to comment,” he said, adding that the firm cannot say yet what printer models are impacted.

Columbia researcher Ang Cui explains how he was able to infect an HP printer with malicious code.

But the Columbia researchers say the security vulnerability is so fundamental that it may impact tens of millions of printers and other hardware that use hard-to-update “firmware” that’s flawed.

Continue the Full article here.

Apache 2.2.20 released to fix DDoS vulnerability

Today, Apache 2.2.20 released to in order to fix the DDOS vulnerability reported few days back.

Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file.

For more Details:
https://www.apache.org/dist/httpd/Announcement2.2.html