Two new WAS QIDs - 150114 Arbitrary File Upload Vulnerability and 150128 SSL Downgrade

Discussion created by fmc on Jun 27, 2014
Latest reply on Jul 2, 2014 by fmc



We will soon be releasing two new WAS QIDs contained within the WAS-3.6.33-1 patch. The information on these two new QIDs is as follows:


QID 150114 Arbitrary File Upload Vulnerability


What it is:

Arbitrary or unrestricted file upload (AFU) allows an attacker to transfer files that contain malicious content to the web application's environment.Allowing a user to upload files to the web application exposes the server to compromise depending on how the application handles such files. Arbitrary code execution is possible if an uploaded file is interpreted and executed as code by the web server. For example, a web application may accept text files with the intention of displaying their raw content, but instead execute an uploaded file that contains Java or PHP source code (which is a text file). Hence uploaded files represent a significant risk to the web applications.


The arbitrary file upload test is performed only for the links with forms containing the file of type field.


We simulate the attack and report the vulnerability if an appropriate evidence of successful file upload is found.


Possible Consequences of the Vulnerability:

The consequences of unrestricted file upload depends on what the application does with the uploaded file and especially where it is stored. It can vary from simple defacement to complete system taken over. An attacker could upload custom JavaScript files and direct a victim to them. These files come from a directory inside the application which can be used to circumvent the same-origin policy protection, for example to steal cookies. Internet Explorer ignores the MIME type of files in some cases and detect the file type based on the file (content sniffing) which combined with unrestricted file upload might potentially lead to the XSS attack. The following are few risk factors related to arbitrary file upload:


A malicious file like shell script can be uploaded on the server. The server could be used to host of malware, illegal software, or other objects.


An attacker might be able to put a phishing page or put a stored XSS into the website.




QID 150128 SSL Downgrade


What it is:

Users operate in hostile network environment due to wireless proliferation, especially in public places. HTTPS protocol can shield web users from attacks such as sniffing and traffic injections, but the real world deployments mis-configure servers leading to compromised browser sessions of legit users. SSL Downgrade QID checks whether web application is using HTTPS persistently i.e. post authentication.


The SSL Downgrade test begins with checking whether login form is present and authentication is successful. We then compare whether authentication and post-authentication requests are using SSL. If post-authentication request is not using SSL, we check whether session cookie has set the secure flag. The test reports a vulnerability if the non-secure cookies is served over HTTP. Currently the test also reports a vulnerability if it observes discrepancy between SSL usage of authentication and post-authentication requests.


Possible Consequences of the Vulnerability:

Most of the web applications chose to serve the same contents over HTTP and HTTPS, for example Gmail used to serve the content to authenticated users over both HTTP and HTTPS.Web applications deploy HTTPS to protect user's authentication, credit card and other sensitive details from eavesdroppers while leaving other pages to be served over unencrypted HTTP traffic for performance benefits. The caveat here is most of these applications set non-secure cookie containing user's session information. This cookie gets sent over unencrypted web traffic and can be easily hacked by an eavesdropper to hijack a user's session. Though security-savvy end user access the web web application using SSL by explicitly typing HTTPS in the address bar, a single insecure HTTP request caused by some button click or a redirect operation by the web site can easily lead to a compromise of user's session information.