Vulnerabilities can be serious threats. Once found, system administrators try everything to restore security, such as patching and mitigating. Patching is always the first choice since it’s normally the definitive way to resolve the vulnerability. However, system administrators will sometimes need to mitigate, especially in two cases:

Case 1. A patch has not been released by the vendor.
Case 2. Patching the vulnerability isn’t a high priority in the customer’s environment but still needs to be addressed.

Many vulnerabilities can be mitigated by changing a specific configuration setting in the OS or application. In this blog post, I use HTTPoxy as an example of how Qualys Policy Compliance can play an important role in this type of mitigation by identifying and reporting on all your systems that don’t have the desired configuration.

Continue reading …

The prevalence of accidents, like that of vulnerabilities, tells us there is no perfect thing. And even if any given vulnerability is unexpected, we know from experience that the existence of vulnerabilities is inevitable. Hackers know this too, of course, and a determined hacker will use whatever tools are available to him to find vulnerabilities to exploit. One of the most obvious tools for a hacker is research, and simply inspecting the data your application publishes about itself can yield helpful information to a hacker. But how much data your application makes available to hacker research is within your control. It is feasible to mitigate the risk of hacker research by implementing policy compliance best practices. As a Policy Compliance signature developer, I will take Apache HTTP Server as an example to illustrate how applications can leak data that is helpful to hackers, and how you can prevent it.

Continue reading …

Recently, I found that one of Adobe ColdFusion’s patches (APSB11-29) doesn’t resolve a cross-site scripting (XSS) vulnerability completely. In a specific case, the vulnerability can be replayed. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in the context of a vulnerable site. Adobe has updated its advisory to warn users about this potential risk.

From the advisory APSB11-29, we can see that Adobe fixed a cross-site scripting vulnerability in the CFForm tag (CVE-2011-2463). And, as you know, Adobe ColdFusion Server is based on Java. So, in this article, I’ll analyze the patch with a Java decompiler tool to reveal the issue and the potential risk in the patch itself. Now let’s go further into it.

Continue reading …