A new zero-day vulnerability (CVE-2017-7269) impacting Microsoft IIS 6.0 has been announced with proof-of-concept code. This vulnerability can only be exploited if WebDAV is enabled. IIS 6.0 is a component of Microsoft Windows Server 2003 (including R2.) Microsoft has ended support for Server 2003 on July 14, 2015, which means that this vulnerability will most likely not be patched. It is recommended that these systems be upgraded to a supported platform. The current workaround is to disable the WebDAV Web Service Extension if it is not needed by any web applications.

The Qualys Cloud Platform can help you detect the vulnerability, track and manage Server 2003 Assets, as well as block exploits against web-based vulnerabilities like this one.

Continue reading …

Security researchers have disclosed a Buffer Overflow vulnerability (CVE-2017-7269) in the Microsoft Internet Information Service (IIS) 6.0 web server included in the Windows Server 2003 R2. Qualys Web Application Firewall (WAF) can help you block HTTP requests trying to exploit this vulnerability.

Continue reading …

On March 8, 2017, Qualys published a detailed blog to describe a critical vulnerability in Apache Struts2 Jakarta multipart parser that exposes vulnerable applications to Remote Command Execution attacks. Exploits of this vulnerability can allow attackers to steal critical data or take control of your application servers.

Qualys Web Application Firewall (WAF) 2.0 allows you to create custom security rules to detect and block attacks that try to exploit this vulnerability.

Continue reading …

The completely redesigned Qualys Web Application Firewall (WAF) 2.0 provides greater confidence in application security through increased customization, one-click virtual patching ability, simplified controls and stronger security rules. Available now with these and other improvements, WAF 2.0 helps customers fend off hackers’ increasingly common, aggressive and destructive web app attacks.

Continue reading …

This release of the Qualys Cloud Platform version 2.21 includes new major releases of both Web Application Firewall and Web Application Scanning. The release also includes numerous updates and new features for AssetView, Cloud Agent, and Security Assessment Questionnaire as follows:

• AssetView (Version 2.21.0) – One click access to vulnerability details for an asset and Improved filtering options for widgets.
• Cloud Agent Platform (Version 2.2.0) – Additional tuning parameters for the agent and simplified agent OS support information.
• Security Assessment Questionnaire (Version 2.6.0) – Improvements to Dynamic Reports, ability to customize Email templates, and ability to edit comments in responses.
• Web Application Firewall (Version 2.0.0) – Improved virtual appliance, improved integration with Web Application Scanning, a revamped user-interface and simplified security configuration.
• Web Application Scanning (Version 5.0.0) – Includes initial support for REST based testing, Scanner Appliance Pooling and drastic improvements to Progressive Scanning metrics.

The specific day for deployment will differ depending on the platform. Release Dates will be published on the Qualys Status page when available.

Continue reading …

Qualys Cloud Platform release 2.18 includes updates and new features for:

• Qualys Cloud Platform (Version 2.18.0)
• AssetView and ThreatPROTECT (Version 2.18.0)
• Security Assessment Questionnaire (Version 2.3.0)
• Web Application Scanning (Version 4.12.0)

Continue reading …

Adopting third-party libraries to encode user input in the development phase and using a web application firewall in the deployment phase could fool web security managers into thinking their web applications are completely safe from Cross-Site Scripting (XSS) attacks. While it’s a good idea to employ these techniques, the illusion of safety could prove costly. These protection methods do not guarantee that your web applications are 100% free of XSS vulnerabilities, and XSS attacks that use more sophisticated techniques still occur, so care should still be taken.

Continue reading …

Qualys Web Application Firewall 2.0 (WAF) now supports multiple secure web applications (HTTPS) in the same cluster, through the Server Name Indication (SNI) extension of TLS protocol. Multiple TLS certificates could now be presented on the same WAF Cluster IP, making the configuration and the deployment of multiple secure websites easier and quicker.

Continue reading …

A few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla, one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.

Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.

Continue reading …

How boring would social networking websites, blogs, forums and other web applications with a social component be if they didn’t allow their users to upload rich media like photos, videos and MP3s?  The answer is easy: very, very boring! Thankfully, these social sites allow end-users to upload rich media and other files, and this makes communication on the world wide web more impactful and interesting.

But user-uploaded files also give hackers a potential entry-point into the same web apps, making their safe handling an extremely important task for administrators and the security team. If these files are not validated properly, a remote attacker could upload a malicious file on the web server and cause a serious breach.

Continue reading …