Common security flaws to check for on your Linux-based Web systems

When performing vulnerability assessments and penetration tests we often get caught up in OS-level vulnerabilities and end up overlooking Layer 7 issues. This is a dangerous trap to get caught in as there's

Requires Free Membership to View

much more of an attack surface on any given Linux system that just telnet and SSH. In fact the majority of Linux-based flaws that I see are in the application layer. Be it with Apache, PHP, or OpenSSL, or just general misconfigurations -- if the vulnerabilities are accessible via HTTP (and thus, generally open to the world) then anything is fair game.

More on Linux Web application server security
How to secure GRUB on Red Hat Enterprise Linux 5.

How to harden Linux operating systems

Payment Card Industry and Data Security Standard (PCI DSS) Web server questions and answers

There are the commonly-cited vulnerabilities such as SQL injection and cross-site scripting but there's more to the Linux Web security equation. The following are some of the other Web security vulnerabilities I often see on Linux-based systems -- things you can check for to help minimize your Web-related risks:

  • PHP code injection that allows for direct execution of malicious code. I've seen server-side scripting engines accept unfiltered PHP input and run it on the server providing system-level access to the server.
  • User names and passwords passed using HTTP GET requests instead of POST requests. This flaw can create a scenario permitting privilege escalation at both the Web application and OS levels.
  • Weak passwords often combined with a lack of intruder lockout. I've found that by using an automated password cracker such as Brutus or plain old login guessing, it's often very simple to gain unauthorized access into the Web site/application when weak logins are present.
  • Weak file and directory permissions that allow for system enumeration. I typically find backup/test files containing old and unmaintained code that provide insight and information that not everyone needs to see.
  • Outdated versions of Apache, PHP, and related code vulnerable to DoS and remote code execution. I recently saw an OpenSSL flaw that allowed for remote denial-of-service by simply using freely-available exploit code on the Internet.

A few other Web-related vulnerabilities that are lower priority -- but are predictable and potentially troublesome nonetheless -- include lack of consistent SSL enforcement across the site, low encryption SSL ciphers (less than 128 bits), SSL version 2 that is susceptible to attack when the traffic is captured off an unsecured wireless network or wired network where someone is using the free Cain tool to perform ARP poison routing, and cookies that are not marked as secure (and thus only transmitted when SSL is present).

Web security weaknesses such as these are best discovered using a commercial (you get what you pay for) Web vulnerability scanner such as Acunetix Web Vulnerability Scanner, WebInspect, N-Stalker, or NTOSpider. Such findings, when repeated consistently over time, can make or break a security assessment or PCI DSS audit. The good news is that most of these weaknesses are very simple to fix. Be it Linux tweaks, patches, or relatively simple code changes, your Web environment can go from getting a "fair" or "poor" security ranking to "very good" or "excellent" one in a matter of days -- all without having to spend a dime.

ABOUT THE AUTHOR: Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker with Atlanta-based Principle Logic, LLC. In the industry for over two decades and having worked for himself the past eight years, Kevin specializes in performing independent security assessments and helping IT professionals achieve all they can in their careers. He has authored/co-authored seven books on information security including Hacking For Dummies and the newly-updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audio books and security security blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com.

This was first published in March 2010

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.