[ISN] Gmail, MSN, Flikr... struck by security hole

InfoSec News isn at c4i.org
Fri Aug 19 03:39:45 EDT 2005


By Matthew Broersma
18 August 2005

A security hole in a popular development tool has severe implications
for a number of the Internet's most popular applications, including
Gmail, Flikr and MSN Virtual Earth.

Tens of thousands of companies including AOL, Google, Microsoft and
Yahoo are likely to be affected by the flaw in CPAINT - a toolkit used
to create applications using an approach known as AJAX - short for
Asynchronous JavaScript and XML. Rather than a technology in itself,
AJAX is an approach to putting more dynamic interactivity into Web
applications using a combination of HTML, CSS, Document Object Model,
JavaScript, and XMLHttpRequest.

The CPAINT flaw could allow an attacker to execute malicious code on a
server running CPAINT, or running an application built using CPAINT,
the software's developers said in an advisory.

The bug affects all existing versions of CPAINT, both the ASP and PHP
implementations, the CPAINT project said. The project issued a patch
fixing the issue, CPAINT v1.3-SP, and is creating a more comprehensive
fix for the forthcoming version 2.0.0.

"We highly recommend that everyone running any version of CPAINT
immediately upgrade to this patched version for security purposes,"  
CPAINT's developers wrote in the advisory.

The bug may affect more than just CPAINT. In an e-mail to the Bugtraq
security mailing list, CPAINT developers warned that the same flaw is
also likely to affect other AJAX toolkits, and urged other AJAX
toolkit authors and users to test for security problems. "They are all
very similar in the way they execute functions on the back-end," the
developers wrote.

The AJAX approach has been adopted by a number of Web developers, the
best known of them being Google, whose Google Maps, Google Suggest,
Gmail and other applications use AJAX. Other high-profile AJAX-based
services include Microsoft's MSN Virtual Earth, Yahoo's Flickr and
AOL's AIM Mail. Many lesser-known services have also adopted AJAX,
such as Swiss mapping service map.search.ch and invoicing program

The CPAINT security flaw doesn't automatically mean such applications
are vulnerable, but should be a warning to developers using toolkits
to create dynamic Web applications, CPAINT developers said.

The term AJAX itself is contentious, having been coined by a
consultancy firm, but has gained wide usage. Google itself calls its
development approach simply JavaScript, while other Web developers
have applauded the use of the new term.

The AJAX model adds more dynamic interactivity to Web applications,
making them feel more like desktop applications. On the down-side,
because AJAX is made up of a number of different standards implemented
in slightly different ways by browsers, it is very difficult to get
AJAX applications working correctly with any browser, developers say.

Scripting has become a significant source of security vulnerabilities
for Web applications. In January Google patched a Gmail flaw that
involved Perl script. PHP has been hit by several significant security
flaws, including in April of this year and December 2004.

In July of this year a serious vulnerability surfaced in a Web service
protocol used by a large number of Web applications. The holes were
found in XML-RPC For PHP and PEAR XML_RPC, which are implementations
of XML-RPC for the PHP scripting language.

XML-based RPC (Remote Procedure Call) systems such as XML-RPC are used
with HTTP to power Web services, a simple and increasingly popular way
of providing services online.

More information about the ISN mailing list