Defense in depth -- the Microsoft way (part 15): unquoted arguments in 120 (of 462) command lines

Hi @ll,

for MANY years now Microsofts own documentation for CreateProcess*()
<http://msdn.microsoft.com/library/cc144175.aspx> resp.
<http://msdn.microsoft.com/library/cc144101.aspx> says:

| Note: If any element of the command string contains or might contain
                                                      ~~~~~~~~~~~~~~~~
| spaces, it must be enclosed in quotation marks.
             ~~~~

Additionally "Registering an Application to a URI Scheme"
<http://msdn.microsoft.com/library/aa767914.aspx> shows:

| HKEY_CLASSES_ROOT
|   alert
|      (Default) = "URL:Alert Protocol"
|      URL Protocol = ""
|      DefaultIcon
|         (Default) = "alert.exe,1"
|      shell
|         open
|            command
|               (Default) = "C:\Program Files\Alert\alert.exe" "%1"
                                                               ~~~~
...
| To mitigate this issue:
| * Avoid spaces, quotes, or backslashes in your URI
| * Quote the %1 in the registration ("%1" as written in the 'alert' example
|   registration)


Let's take a look at the registry of Windows 8.1 (as it comes on the DVD
available from <http://technet.microsoft.com/evalcenter/hh699156.aspx>,
inside the \sources\install.wim):

[RT-SA-2014-005] SQL Injection in webEdition CMS File Browser Installer Script

Advisory: SQL Injection in webEdition CMS File Browser

RedTeam Pentesting discovered an SQL injection vulnerability in the file
browser component of webEdition CMS during a penetration test.
Unauthenticated attackers can get read-only access on the SQL database
used by webEdition and read for example password hashes used by
administrative accounts.


Details
=======

Product: webEdition CMS
Affected Versions: webEdition 6.3.8.0 svn6985 down to 6.3.3.0,
                   probably earlier versions, too
Fixed Versions: 6.2.7-s1 - 6.3.8-s1
Vulnerability Type: SQL Injection
Security Risk: high
Vendor URL: http://www.webedition.org
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-005
Advisory Status: published
CVE: CVE-2014-2303
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2303

[RT-SA-2014-004] Remote Command Execution in webEdition CMS Installer Scrip

Advisory: Remote Command Execution in webEdition CMS Installer Script

RedTeam Pentesting discovered a remote command execution vulnerability
in the installer script of the webEdition CMS during a penetration test.
If the installer script is not manually removed after installation,
attackers cannot only reinstall webEdition, but also gain remote command
execution.

Mybb Sendthread Page Denial of Service Vulnerability

Denial of Service Vulnerability In Mybb 1.6.13 and old version



#!/usr/bin/perl
#################################
#
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@            @@@  @@@@@@@
#     @@@    @@@@@@@@@@@    @@@  @@         @@@     @@            @@@  @@@@@@@@
#     @@@    @@@            @@@    @@       @@@       @@          @@@  @@@  @@@
#     @@@    @@@            @@@      @@     @@@     @@            @@@  @@@  @@@
#     @@@    @@@@@@@@@@@    @@@       @     @@@@@@@@@@            @@@  @@@@@@
#     @@@    @@@@@@@@@@@    @@@     @@      @@@     @@            @@@  @@@@@@
#     @@@    @@@            @@@   @@        @@@       @@   @@@    @@@  @@@ @@@
#     @@@    @@@            @@@ @@          @@@     @@     @@@    @@@  @@@  @@@
#     @@@    @@@@@@@@@@@    @@@@@           @@@@@@@@@@     @@@    @@@  @@@   @@@
#
#####################################
#####################################
#
#         Iranian Exploit DataBase
#
# Mybb Sendthread Page Denial of Service Vulnerability
# Test on Mybb 1.6.13
# Vendor site : www.mybb.com
# Code Written By Amir - iedb.team@gmail.com - o0_shabgard_0o@yahoo.com
# Site : Www.IeDb.Ir/acc   -   Www.IrIsT.Ir
# Fb Page : https://www.facebook.com/iedb.ir
# Greats : Bl4ck M4n - ErfanMs - TaK.FaNaR  - N20 - Bl4ck N3T - dr.koderz - Enddo - E1.Coders - Behnam Vanda
# E2MA3N - l4tr0d3ctism - H-SK33PY - sole sad - r3d_s0urc3 - Dr_Evil - z3r0 - 0x0ptim0us - 0Day
# Security - ARTA - ARYABOD - Mr.Time - C0dex - Dj.TiniVini - Det3cT0r - yashar shahinzadeh
#  Khashayar - tootro20 - AmirMasoud And All Members In IeDb.Ir/acc
#####################################

[SECURITY] CVE-2014-0119 Apache Tomcat information disclosure

CVE-2014-0119 Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.5
- Apache Tomcat 7.0.0 to 7.0.53
- Apache Tomcat 6.0.0 to 6.0.39

Description:
In limited circumstances it was possible for a malicious web application
to replace the XML parsers used by Tomcat to process XSLTs for the
default servlet, JSP documents, tag library descriptors (TLDs) and tag
plugin configuration files. The injected XMl parser(s) could then bypass
the limits imposed on XML external entities and/or have visibility of
the XML files processed for other web applications deployed on the same
Tomcat instance.

Mitigation:
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.8 or later
  (8.0.6 and 8.0.7 contain the fix but were not released)
- Upgrade to Apache Tomcat 7.0.54 or later
- Upgrade to Apache Tomcat 6.0.41 or later
  (6.0.40 contains the fix but was not released)

Credit:
This issue was identified by the Tomcat security team.

References:
[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html