Possible security issue - Paste Users

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

« Groups Home

Paste Users

Home

Discussions

+ new post

About this group

Join this group

Message from discussion Possible security issue

Ian Bicking

View profile

More options Feb 21 2012, 3:09 pm

From: Ian Bicking <i...@colorstudy.com>

Date: Tue, 21 Feb 2012 14:09:52 -0600

Local: Tues, Feb 21 2012 3:09 pm

Subject: Re: [Paste] Possible security issue

Print | View thread | Show original | Report this message | Find messages by this author

From what I can tell the larger context is:

assert (not url or url.startswith('/')
or self.domain_url_re.search(url)), (
"URL fragments must start with / or http:// (you gave %r)" %
url)

That is, you can inject information into an error string, but such error
strings should never be shown to users. You can configure an application
to show errors, but that is not the default and is definitely not
recommended for any public deployment. (Also the error messages aren't
treated as HTML, so would be quoted later.)

It looks like they actually get the error to be produced over HTTP, but I
don't know what the entire stack is that they are using.

On Tue, Feb 21, 2012 at 1:33 AM, Björn Hagemeier <b.hageme...@googlemail.com

> wrote:
> Hi there,

> a Nessus scan at my organization has shown a possible vulnerability in a
> product using paste. As the problem seems to stem from paste, I would like
> to know your take on this and whether a fix is available. Please find the
> relevant Nessus problem report below.

> Are there any vulnerabilities known to you that could be exploited? Any
> information would be of help, as I need to convince our security staff that
> the application is secure and can safely be exposed to the outside world.

> BTW: The application in question is the OpenStack Cloud interface
> (nova-api) from http://openstack.org/

> Thank you very much in advance and
> best regards,
> Björn

> ==============================**====================
> PORT WWW (8773/TCP)

> Plugin ID: 44135
> Web Server Generic Cookie Injection
> Synopsis
> The remote web server is prone to a cookie injection attack.
> List of Hosts

> zam916.zam.kfa-juelich.de
> Plugin Output

> The request string used to detect this flaw was :

> <script>document.cookie=%**22testhucq=8195;%22</script>

> The output was :

> HTTP/1.1 500 Internal Server Error
> Content-Type: text/plain
> Content-Length: 603
> Date: Wed, 15 Feb 2012 09:05:11 GMT
> Connection: close

> [...]
> path_info = self.normalize_url(path_info, False)[1]
> File "/usr/lib/python2.7/dist-**packages/paste/urlmap.py", line 119, in
> normalize_url
> "URL fragments must start with / or http:// (you gave %r)" % url)
> AssertionError: URL fragments must start with / or http:// (you gave
> '<script>document.cookie="**testhucq=8195;"</script>')

> Description
> The remote host is running a web server that fails to adequately
> sanitize request strings of malicious JavaScript. By leveraging this
> issue, an attacker may be able to inject arbitrary cookies. Depending
> on the structure of the web application, it may be possible to launch
> a 'session fixation' attack using this mechanism.

> Please note that :

> - Nessus did not check if the session fixation attack is
> feasible.

> - This is not the only vector of session fixation.
> Solution
> Contact the vendor for a patch or upgrade.
> See also
> http://en.wikipedia.org/wiki/**Session_fixation<http://en.wikipedia.org/wiki/Session_fixation>
> http://www.owasp.org/index.**php/Session_Fixation<http://www.owasp.org/index.php/Session_Fixation>
> http://www.acros.si/papers/**session_fixation.pdf<http://www.acros.si/papers/session_fixation.pdf>
> http://projects.webappsec.org/**Session-Fixation<http://projects.webappsec.org/Session-Fixation>
> Risk Factor
> Medium/ CVSS Base Score: 4.3
> (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/**A:N)
> Plugin publication date: 2010/01/25
> Plugin last modification date: 2011/03/14
> ==============================**====================

> ==============================**====================
> PORT WWW (8773/TCP)

> Plugin ID: 10815
> Web Server Generic XSS
> Synopsis
> The remote web server is prone to cross-site scripting attacks.
> List of Hosts

> zam916.zam.kfa-juelich.de
> Plugin Output

> The request string used to detect this flaw was :

> <script>cross_site_scripting.**nasl</script>

> The output was :

> HTTP/1.1 500 Internal Server Error
> Content-Type: text/plain
> Content-Length: 596
> Date: Wed, 15 Feb 2012 09:05:10 GMT
> Connection: close

> File "/usr/lib/python2.7/dist-**packages/paste/urlmap.py", line 119, [...]
> "URL fragments must start with / or http:// (you gave %r)" % url)
> AssertionError: URL fragments must start with / or http:// (you gave '<s
> cript>cross_site_scripting.**nasl</script>')

> Description
> The remote host is running a web server that fails to adequately
> sanitize request strings of malicious JavaScript. By leveraging this
> issue, an attacker may be able to cause arbitrary HTML and script code
> to be executed in a user's browser within the security context of the
> affected site.
> Solution
> Contact the vendor for a patch or upgrade.
> See also
> http://en.wikipedia.org/wiki/**Cross-site_scripting<http://en.wikipedia.org/wiki/Cross-site_scripting>
> Risk Factor
> Medium/ CVSS Base Score: 4.3
> (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/**A:N)
> CVSS Temporal Score: 3.6(CVSS2#E:F/RL:OF/RC:C)
> CVE
> CVE-2002-1700
> CVE-2003-1543
> CVE-2005-2453
> CVE-2006-1681
> Bugtraq ID
> 5011
> 5305
> 7344
> 7353
> 8037
> 14473
> 17408
> Other references
> OSVDB:18525
> OSVDB:24469
> OSVDB:42314
> OSVDB:4989
> OSVDB:58976
> CWE:79
> CWE:80
> CWE:81
> CWE:83
> CWE:20
> CWE:74
> CWE:442
> CWE:712
> CWE:722
> CWE:725
> CWE:811
> CWE:751
> CWE:801
> CWE:116
> Vulnerability publication date: 2004/04/09
> Plugin publication date: 2001/11/30
> Plugin last modification date: 2011/03/14
> Ease of exploitability: Exploits are available
> ==============================**====================

> --
> Dipl.-Inform. Björn Hagemeier
> Federated Systems and Data
> Juelich Supercomputing Centre
> Institute for Advanced Simulation

> Phone: +49 2461 61 1584
> Fax : +49 2461 61 6656
> Email: b.hageme...@fz-juelich.de
> Skype: bhagemeier
> WWW : http://www.fz-juelich.de/jsc

> JSC is the coordinator of the
> John von Neumann Institute for Computing
> and member of the
> Gauss Centre for Supercomputing

> ------------------------------**------------------------------**
> -------------------------
> ------------------------------**------------------------------**
> -------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> ------------------------------**------------------------------**
> -------------------------
> ------------------------------**------------------------------**----------- --------------

> --
> You received this message because you are subscribed to the Google Groups
> "Paste Users" group.
> To post to this group, send email to paste-users@googlegroups.com.
> To unsubscribe from this group, send email to paste-users+unsubscribe@**
> googlegroups.com <paste-users%2Bunsubscribe@googlegroups.com>.
> For more options, visit this group at http://groups.google.com/**
> group/paste-users?hl=en <http://groups.google.com/group/paste-users?hl=en>
> .

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options