All Posts

3 posts

How Policy Compliance Plays a Mitigation Role to Protect Your System

Vulnerabilities can be serious threats. Once found, system administrators try everything to restore security, such as patching and mitigating. Patching is always the first choice since it’s normally the definitive way to resolve the vulnerability. However, system administrators will sometimes need to mitigate, especially in two cases:

Case 1. A patch has not been released by the vendor.
Case 2. Patching the vulnerability isn’t a high priority in the customer’s environment but still needs to be addressed.

Many vulnerabilities can be mitigated by changing a specific configuration setting in the OS or application. In this blog post, I use HTTPoxy as an example of how Qualys Policy Compliance can play an important role in this type of mitigation by identifying and reporting on all your systems that don’t have the desired configuration.

Continue reading …

CGI application vulnerability httpoxy for PHP, Go, Python and others


A CGI application vulnerability called httpoxy was announced today with coordinated disclosure from many vendors. The vulnerability allows an attacker to remotely set the HTTP_PROXY environment variable on affected servers which can lead to a number of bad consequences.

Continue reading …

BASH Shellshock vulnerability – Update5

Update5: We have added a new profile in Qualys VM that uses the advanced crawling capabilities of Qualys WAS to detect Shellshock in CGI programs. WIth this profile you get better coverage than with the current QID 13038. There is a good explanation of how to setup the profile at our blog post: Custom Option Profile To Detect Bash Shellshock

Check it out. I am looking forward to your feedback.

Update4: Our web application scanner (WAS) has been updated with a Shellshock detection. Look for QID 150134 in your WAS scans. Differently from our VM detections, WAS has an advanced crawler with JavaScript capabilities which allows you to cover the entire website and probe for CGI scripts susceptible to Shellshock on a much wider range.

Update3: The last couple of days have been filled with new information on Shellshock. Today for example we had news on a first botnet that is using Shellshock, illustrating the speed  We are working on adding checks into other relevant areas, such as our Web Application Scanner. Stand by for more news on that. In the meantime we have collected a number of community posts on how to use QualysGuard to detect and report on Shellshock. Here is a quick run-down for your reference:

Continue reading …