During the past month, a great deal has happened in the web security landscape, and we have added a ton of new findings to the service. Some of these findings come from other security companies’ public disclosures, whilst others are the results of internal audits of responsible disclosure programs.
Jenkins & JBoss remote code execution
We have added checks for the Jenkins and JBoss remote code execution vulnerabilities that were disclosed the November 6 . The two vulnerabilities involve the deserialization of arbitrary Java objects, which leads to remote code execution. If you have a vulnerable configuration, an attacker will be able to gain remote access to your system. If you have run either Jenkins or JBoss and have missed these news, we urge you to get another report ASAP.
Critical SQL injection vulnerability in Joomla!
A check for the Joomla! SQL injection vulnerability (as discovered by Trustwave)has been added to the service. If you have an unpatched version of Joomla! (ranging from version 3.2 through 3.4.4), you are at risk of having your database leaked and disclosed online. If you know you’re affected, upgrade immediately, otherwise grab another report to see if you’re vulnerable.
Multiple vulnerabilities in Ganglia
Added vulnerabilities for the Ganglia Monitoring System used for clusters and grids. It may be wise not to expose this service to the Internet.
Source code disclosure for Ruby applications
Added the ability for the service to detect Ruby-based source code disclosures. If your server is configured in such a way that it cannot properly handle Ruby files, the content of the files may leak. The source code for your application contains all the business logic and is hence highly critical.
Enhanced checks for Git-based projects
Git disclosures are bad. We’ve added further methods to find and analyze the content of publicly accessible git projects. Remember to never add database dumps, config files and pem-files to your Git repositories. A slip-up in your setup may disclose very sensitive data. If that happens and we spot it, we’ll mark the finding as Critical.
Findings in regards to IDE metadata
New checks for common files generated by the editors Eclipse and IntelliJ IDEA (including PhpStorm). Depending on how you use these tools, they may generate files containing sensitive data. These files should not reach your production environments as they may leak information (such as database credentials, commit messages, code changes and file paths).
Setting disclosure through /.env
Added check for /.env. If publicly accessible, it may contain system-critical information such as database credentials and API keys.
New check for the version control system Mercurial
Added Mercurial information disclosure finding (for the few who still use it).
Further findings for PHP misconfigurations
(Notice) It’s not uncommon for devops to configure and tweak PHP. Sometimes mistakes slip through. We have added checks for publicly exposed php.ini and error_log files.
As well as all of the above, new findings for Jetty, TravisCI and a ton of other systems have been added. To summarize, a large number of new vulnerabilities to look out for.
What are you waiting for? Go hack yourself!
Fredrik Nordberg Almroth