THE CENZIC BLOG

Cenzic SmartAttack Updates for Web Vulnerabilities

Latest web application vulnerabilities integrated into the Cenzic product suite.

This blog features the latest vulnerabilities in web / website applications (custom, commercial, and open-source) that have been integrated into the Cenzic's website security product suite on a weekly basis. These web application vulnerabilities include cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.


June 26, 2009

Cenzic Issues New SmartAttack in 6.0 Release: HTTP Parameter Pollution Vulnerability

The HTTP Parameter Pollution Vulnerability is now detectable in Cenzic’s 6.0 release as a new SmartAttack category

As of June 26, 2009, Cenzic added its 101st SmartAttack to its latest 6.0 product suite:  HTTP Parameter Pollution Vulnerability (version 1.0). 

Published just a few days back, the HTTP Parameter Pollution Vulnerability is one of the newest ways hackers can exploit Web applications.  It pinpoints the anomaly in handling multiple occurrences of the same parameter by various platforms. This vulnerability plays the role of the "enabler", which can be exploited by an attacker to further craft complex and destructive attacks.  Due to the devastating nature of this attack, we created a new SmartAttack immediately to enable our customers to detect such vulnerabilities and avoid further attacks.   

Web Server Vulnerabilities SmartAttack Update

In this week’s update, we’ve also enhanced our Web Server Vulnerabilities SmartAttack to it can detect the PHP 'exif_read_data()' JPEG Image Processing Denial Of Service Vulnerability (BugtraqID 35440).  PHP is prone to a denial-of-service vulnerability in its 'exif_read_data()' function.  Successful exploits may allow remote attackers to cause denial-of-service conditions in applications that use the vulnerable function.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com


June 19, 2009

Cenzic Detects an Apache Tomcat XML Parser Information Disclosure Vulnerability

An Apache Tomcat XML Parser Information Disclosure Vulnerability is now detectable in the Cenzic Web Server SmartAttack

As of June 19, 2009, Cenzic can detect the Apache Tomcat XML Parser Information Disclosure Vulnerability (BugtraqID 35416).  Apache Tomcat is prone to an Information Disclosure Vulnerability where attackers can exploit this issue to obtain sensitive information that may lead to further attacks.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com


June 12, 2009

Cenzic Detects an Apache Tomcat Authentication Vulnerability

An Apache Tomcat Authentication Vulnerability is now detectable in the Cenzic Web Server SmartAttack

As of June 12, 2009, Cenzic can detect the Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness Vulnerability (BugtraqID 35196).  Apache Tomcat is prone to a username-enumeration weakness because it displays different responses to login attempts, depending on whether or not the username exists.  Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com


June 05, 2009

Cenzic Detects an Apache Tomcat Denial of Service Vulnerability

An Apache Tomcat Denial of Service Vulnerability is now detectable in the Cenzic Web Server SmartAttack

Cenzic weekly product updatesAs of June 5, 2009, Cenzic can detect the Apache Tomcat Java AJP Connector Invalid Header Denial of Service Vulnerability (BugtraqID 35193).   Apache Tomcat is prone to a denial-of-service vulnerability.  Attackers can exploit this issue and cause the server to end up in an error state, denying service to legitimate users.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com


Syndication OptionsRSS (Rich Site Summary) Feed Atom Feed OPML (Outline Processor Language) Feed MYST-ML (MyST Markup Language) Content Feed MS-Office Smart Tag Subscription