Possible security issue
Björn Hagemeier
a Nessus scan at my organization has shown a possible vulnerability in a
product using paste. As the problem seems to stem from paste, I would
like to know your take on this and whether a fix is available. Please
find the relevant Nessus problem report below.
Are there any vulnerabilities known to you that could be exploited? Any
information would be of help, as I need to convince our security staff
that the application is secure and can safely be exposed to the outside
world.
BTW: The application in question is the OpenStack Cloud interface
(nova-api) from http://openstack.org/
Thank you very much in advance and
best regards,
Bj�rn
==================================================
PORT WWW (8773/TCP)
Plugin ID: 44135
Web Server Generic Cookie Injection
Synopsis
The remote web server is prone to a cookie injection attack.
List of Hosts
zam916.zam.kfa-juelich.de
Plugin Output
The request string used to detect this flaw was :
<script>document.cookie=%22testhucq=8195;%22</script>
The output was :
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 603
Date: Wed, 15 Feb 2012 09:05:11 GMT
Connection: close
[...]
path_info = self.normalize_url(path_info, False)[1]
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, in
normalize_url
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave
'<script>document.cookie="testhucq=8195;"</script>')
Description
The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to inject arbitrary cookies. Depending
on the structure of the web application, it may be possible to launch
a 'session fixation' attack using this mechanism.
Please note that :
- Nessus did not check if the session fixation attack is
feasible.
- This is not the only vector of session fixation.
Solution
Contact the vendor for a patch or upgrade.
See also
http://en.wikipedia.org/wiki/Session_fixation
http://www.owasp.org/index.php/Session_Fixation
http://www.acros.si/papers/session_fixation.pdf
http://projects.webappsec.org/Session-Fixation
Risk Factor
Medium/ CVSS Base Score: 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
Plugin publication date: 2010/01/25
Plugin last modification date: 2011/03/14
==================================================
==================================================
PORT WWW (8773/TCP)
Plugin ID: 10815
Web Server Generic XSS
Synopsis
The remote web server is prone to cross-site scripting attacks.
List of Hosts
zam916.zam.kfa-juelich.de
Plugin Output
The request string used to detect this flaw was :
<script>cross_site_scripting.nasl</script>
The output was :
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 596
Date: Wed, 15 Feb 2012 09:05:10 GMT
Connection: close
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, [...]
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave '<s
cript>cross_site_scripting.nasl</script>')
Description
The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
Solution
Contact the vendor for a patch or upgrade.
See also
http://en.wikipedia.org/wiki/Cross-site_scripting
Risk Factor
Medium/ CVSS Base Score: 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score: 3.6(CVSS2#E:F/RL:OF/RC:C)
CVE
CVE-2002-1700
CVE-2003-1543
CVE-2005-2453
CVE-2006-1681
Bugtraq ID
5011
5305
7344
7353
8037
14473
17408
Other references
OSVDB:18525
OSVDB:24469
OSVDB:42314
OSVDB:4989
OSVDB:58976
CWE:79
CWE:80
CWE:81
CWE:83
CWE:20
CWE:74
CWE:442
CWE:712
CWE:722
CWE:725
CWE:811
CWE:751
CWE:801
CWE:116
Vulnerability publication date: 2004/04/09
Plugin publication date: 2001/11/30
Plugin last modification date: 2011/03/14
Ease of exploitability: Exploits are available
==================================================
--
Dipl.-Inform. Bj�rn Hagemeier
Federated Systems and Data
Juelich Supercomputing Centre
Institute for Advanced Simulation
Phone: +49 2461 61 1584
Fax : +49 2461 61 6656
Email: b.hag...@fz-juelich.de
Skype: bhagemeier
WWW : http://www.fz-juelich.de/jsc
JSC is the coordinator of the
John von Neumann Institute for Computing
and member of the
Gauss Centre for Supercomputing
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Ian Bicking
assert (not url or url.startswith('/')
or self.domain_url_re.search(url)), (
"URL fragments must start with / or http:// (you gave %r)" % url)
It looks like they actually get the error to be produced over HTTP, but I don't know what the entire stack is that they are using.
Hi there,
a Nessus scan at my organization has shown a possible vulnerability in a product using paste. As the problem seems to stem from paste, I would like to know your take on this and whether a fix is available. Please find the relevant Nessus problem report below.
Are there any vulnerabilities known to you that could be exploited? Any information would be of help, as I need to convince our security staff that the application is secure and can safely be exposed to the outside world.
BTW: The application in question is the OpenStack Cloud interface (nova-api) from http://openstack.org/
Thank you very much in advance and
best regards,
Björn
Dipl.-Inform. Björn Hagemeier
Federated Systems and Data
Juelich Supercomputing Centre
Institute for Advanced Simulation
Phone: +49 2461 61 1584
Fax : +49 2461 61 6656
Email: b.hag...@fz-juelich.de
Skype: bhagemeier
WWW : http://www.fz-juelich.de/jsc
JSC is the coordinator of the
John von Neumann Institute for Computing
and member of the
Gauss Centre for Supercomputing
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
--
You received this message because you are subscribed to the Google Groups "Paste Users" group.
To post to this group, send email to paste...@googlegroups.com.
To unsubscribe from this group, send email to paste-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/paste-users?hl=en.