The most recent Netcraft Web Server Survey found more than 62 million websites running Microsoft IIS 6.0, but many of these are unlikely to be affected by the latest WebDAV remote authentication bypass vulnerability.

A new WebDAV vulnerability was published by Nikolaos Rangos on Friday, and details how attackers can bypass access restrictions using a flaw in the WebDAV functionality on IIS 6.0. By failing to handle Unicode tokens properly, the bug gives attackers access to password protected folders and, in some cases, the ability to upload files to the affected web servers.

Although IIS 6.0 accounts for more than 90% of the Microsoft sites on the Internet, the total number of vulnerable sites is likely to be substantially less than 62 million because WebDAV is not a default component of IIS 6.0 when a Windows Server 2003 machine is given the role of Application Server. Nonetheless, some people may install and enable WebDAV to provide a convenient means of publishing and managing web server content through firewalls – because WebDAV is an extension to the HTTP protocol, it can operate over the same port number as HTTP.

Microsoft issued a security advisory on Monday, which also lists IIS 5.0 as vulnerable. This issue may affect a much larger proportion of the 2.8 million IIS 5.0 websites as, unlike its successor, Windows 2000 Server automatically installs WebDAV alongside IIS 5.0.

Posted by Paul Mutton at 20 May 2009 in Security | Print this Page

Two years after their first appearance in the Netcraft SSL Survey, there are now more than 11 thousand Extended Validation (EV) SSL certificates in use on the Web. Despite enjoying two years of continued growth, EV SSL certificates still only make up around 1% of all SSL certificates in use on the Internet.

ebuyer-ev-ssl.png
Nearly all modern browsers now support EV SSL certificates by colouring all or part of the address bar in green.

EV SSL Growth - 2 Years

The proportion of EV SSL certificates rises considerably amongst the world's busiest websites, as shown by Netcraft's top 1 million sites dataset. In general, it seems, the more traffic an SSL site has, the more likely it is to use an EV certificate, and in particular, more than a quarter of the SSL certificates within the top 1,000 sites have extended validation.

Population SSL Certificates EV SSL Certificates EV SSL Share
All Sites 1,028,868 11,300 1.1%
Top 1,000,000 45,851 2,662 5.8%
Top 100,000 7,012 710 10.1%
Top 10,000 712 115 16.2%
Top 1,000 60 17 28.3%
Posted by Paul Mutton at 27 February 2009 in Security | Print this Page

A new wave of phishing attacks against eBay is exploiting a clever combination of wildcard DNS records and cross-site scripting (XSS) vulnerabilities to use other people's websites to help steal credentials from victims.

The first attacks using this combined method of wildcard DNS records and XSS were detected by Netcraft on February 10th, although the source code behind the attacks suggest that the planning had begun a day earlier. The attacks have continued to the present day, and the fraudulent eBay login form remains accessible through the wildcard domains.

Fraudsters launched the attack using a number of sites that host vulnerable versions of iRedirector Subdomain Edition. This PHP and MySQL based system allows website owners to use wildcard DNS records on their domains to forward subdomains like http://user.example.com to URLs like http://www.example.com/members/~username.

A cross-site scripting vulnerability on the affected iRedirector sites is allowing the fraudsters to inject framesets into specific pages. These framesets load content from one of the fraudsters' websites hosted in France at http://df0x.54.pl, which in turn loads an iframe located at http://0xdc4bdd88:88/ws/eBayISAPI.dll/. This injected iframe presents a fraudulent eBay login page, which prompts the victim to submit their eBay User ID and Password to a site hosted by Sudokwonkangnambonbujang in South Korea.

Because the vulnerable sites can be accessed via wildcard DNS records, the fraudsters have made the attacks look all the more convincing by making the hostnames look similar to those used by the genuine eBay login page. For example, the attack has used many hostnames that are similar to this:

ie-ebay-wildcard-url.png

The hostnames used in these attacks also contain a seemingly random string of hexadecimal digits. These are simply MD5 hashes of small integers. It is likely that this semi-random measure is being used to try and bypass simplistic firewalls or email filters, which may not recognise fraudulent URLs if part of the hostname changes.

The unobtrusive methods used in the current wave of attacks have obvious appeal to fraudsters — the wildcard DNS records mean that it's easy to use arbitrary hostnames for each attack, allowing each vulnerable site to be convincingly used for many different targets. Furthermore, there is no need for the fraudsters to fully compromise a website, as the cross-site scripting vulnerability allows the fraudulent content to be placed on the sites without gaining internal access to the server. Finally, all it takes is a simple Google search to find additional sites with the same vulnerabilities. The combination of these factors makes it entirely feasible to automate the whole process.

Posted by Paul Mutton at 17 February 2009 in Security | Print this Page

New vulnerabilities were discovered yesterday in multiple programs using OpenSSL, one of the standard cryptography libraries on Linux and Unix systems. Due to a common mistake in checking return values from functions checking digital signatures, several programs may be vulnerable to spoofing of digital signatures.

The most important affected program is ISC Bind, which is the most widely used DNS server on the internet. A flaw in its validation of signatures on DNSSEC replies means that the server may be vulnerable to DNS spoofing attacks even where DNSSEC is in use. Bind have released BIND 9.6.0-P1 this morning to fix this bug.

Posted by Colin Phipps at 8 January 2009 in Security | Print this Page

Netcraft's SSL Survey shows that 14% of valid third party SSL certificates are using MD5 signatures — an algorithm that is demonstrably vulnerable to attack.



Related Netcraft Service: SSL Survey
Posted by Colin Phipps at 1 January 2009 in Security | Print this Page
Netcraft has detected another live vulnerability on a Yahoo website, which is currently being used to steal authentication cookies from its users — transmitting them to a website under the control of a remote attacker. The attacker can then use the stolen details to gain access to his victims' Yahoo accounts, such as Yahoo Mail.

Related Netcraft Service: Web Application Security Testing
Posted by Paul Mutton at 26 October 2008 in Security | Print this Page
Netcraft's Phishing Site Takedown and Countermeasures service helps banks respond to phishing attacks promptly and effectively.
Posted by Paul Mutton at 9 September 2008 in Netcraft Services, Security | Print this Page
Netcraft's June SSL Survey has found that a significant number of SSL certificates are affected by the Debian OpenSSL vulnerability, including Extended Validation SSL certificates and certificates belonging to banks.

Related Netcraft Service: SSL Survey
Posted by Paul Mutton at 12 June 2008 in Security | Print this Page
A security researcher in Finland has discovered a cross-site scripting vulnerability on paypal.com that would allow hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.

Related Netcraft Service: Web Application Security Testing
Posted by Paul Mutton at 16 May 2008 in Security | Print this Page
Following Obama's recent XSS attack, a security researcher in Finland has discovered a similar vulnerability on a Clinton supporter site.

Related Netcraft Service: Web Application Security Testing
Posted by Paul Mutton at 24 April 2008 in Security | Print this Page