java


Apache Struts 1 is a popularly used JAVA EE web application framework. It offers many kinds of validators to filter user input by using the Apache Common Validator library, which is both convenient and fast. However, a bug in Apache Struts can be used to easily bypass the input validation process, allowing an attacker to submit arbitrary dirty data to the database, possibly resulting in a cross-site scripting attack when the user views the JSP file that refers directly to the corrupted data. [Read More]
by RSS Dehui Yin  |  Oct 25, 2017  |  Filed in: Security Research
Apache Struts 1 ValidatorForm is a commonly used component in the JAVA EE Web Application that requires validated form fields input by a user, such as a login form, registration form, or other information form. By configuring the validation rules, Apache Struts can validate many different kinds of fields - username, email, credit card number, etc. However, a bug in Apache Struts 1 can be used to manipulate the property of ValidatorForm so as to modify the validation rules, or even worse, cause a denial of service or execute arbitrary code in the... [Read More]
by RSS Dehui Yin  |  Oct 25, 2017  |  Filed in: Security Research
Joomla! is one of the world's most popular content management system (CMS) solutions. It enables users to build custom Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share. As of November 2016, Joomla! had been downloaded over 78 million times. Over 7,800 free and commercial extensions are also currently available from the official Joomla! Extension Directory, and more are available from other sources. This year, as a FortiGuard researcher... [Read More]
by RSS Zhouyuan Yang  |  May 04, 2017  |  Filed in: Security Research
FortiGuard Labs has put together answers to some of the most frequently asked questions you may have about the new emerging technology called WebAssembly (WA). What is WebAssembly? WebAssembly is a low-level, portable, binary format for the web that aims to speed up web apps. It is designed to parse faster (up to 20X), and execute faster than JavaScript (JS). When was it announced? The WebAssembly Community Group was created in April 2015, with the mission of “promoting early-stage cross-browser collaboration on a new, portable,... [Read More]
by RSS David Maciejak  |  Apr 13, 2017  |  Filed in: Security Research
A few days ago, Oracle announced on their blog that they plan to kill the Java browser plugin in their next major version of JDK, scheduled for release in Q1 2017. What does this mean? Should we worry about our browsing experience? This really just means that it won’t be possible to run Java applets in the browser anymore. The infamous “applet” is a technology that was developed by Sun Microsystems in the 90’s and went on to be acquired by Oracle. This technology was still popular in many exploit kits over the... [Read More]
by RSS David Maciejak  |  Feb 05, 2016  |  Filed in: Industry Trends
Two months ago, a Java zero day vulnerability (CVE-2015-4852) that targeted Apache commons collections library was disclosed. This vulnerability is caused by an error when Java applications, which use Apache commons collections library, deserialize objects from untrusted network sources. Let’s take a look: Our Fortinet IPS team immediately created a signature, "Apache.Commons.Collection.InvokerTransformer.Code.Execution", in order to protect our customers, and continues to monitor. Over the last 2 months, since creating the initial... [Read More]
by RSS Dehui Yin  |  Feb 04, 2016  |  Filed in: Security Research
Until relatively recently, mobile malware wasn't that different from early PC malware - It was annoying, it probably invaded your privacy, and it took a toll on system resources but it wasn't especially dangerous or costly in the way that modern weaponized malware used to attack PCs, servers, and point-of-sale systems was. And just as early malware primarily targeted a single OS (Windows), mobile malware remains almost exclusively a problem for Android. However, it appears that Stagefright has served as something of a wakeup call for the... [Read More]
by RSS Chris Dawson  |  Aug 12, 2015  |  Filed in: Industry Trends
Normal Java JAR or class format samples can be easily analyzed with Java decompiler tools, such as JAD and JD-GUI. Not so with those obfuscated ones, where decompiling results may be empty or not clear. When this happens, we need to then analyze the JVM (Java Virtual Machine) p-code. Nowadays, more and more Java malware use anti-decompiling techniques to increase the difficulty of analysis. In this blog post, we will analyze a new JAR obfuscated packer that is being used by Java malware, using a sample that we detect as Java/Obfus.CI!tr as an example. Decompiling... [Read More]
by RSS Ruhai Zhang  |  Dec 01, 2014  |  Filed in: Security Research
2014 marks the 10th anniversary of Cabir, the world's first mobile phone malware. To mark this occasion, Fortinet's FortiGuard Labs is taking a stroll down memory lane to examine the evolution and significance of mobile threats during the last 10 years. From Cabir to FakeDefend, the last decade has seen the number of mobile malware explode. In 2013, Fortinet's FortiGuard Labs has seen more than 1,300 new malicious applications per day and is currently tracking more than 300 Android malware families and more than 400,000 malicious Android... [Read More]
by RSS Michael Perna  |  Jan 21, 2014  |  Filed in: Industry Trends
This month we have patches from Adobe, Microsoft and Oracle launching today: Microsoft Microsoft published their monthly advanced notification for critical and important patches, and this month there are four patches: MS14-001 - Rated Important - affects Microsoft Office and Microsoft Server Software: may allow remote code execution. Patch may require a reboot. MS14-002 - Rated Important - affects Windows: may allow elevation of privilege. Patch requires a reboot. MS14-003 - Rated Important - affects Windows: may allow elevation of privilege.... [Read More]
by RSS Richard Henderson  |  Jan 14, 2014  |  Filed in: Industry Trends