Web Server Directory Traversal Arbitrary File Access in fhgfs-admon
279 views
Skip to first unread message
Glenn
Jan 15, 2014, 10:12:44 AM1/15/14
to fhgfs...@googlegroups.com
We had our fhgfs-admon server open to our campus network to allow access from workstations. A recent security scan revealed that the Web server of fhgfs-admon allows directory traversal. Here is the description from the Nessus scan:
It appears possible to read arbitrary files on the remote host outside the web server's document directory
using a specially crafted URL. An unauthenticated attacker may be able to exploit this issue to access
sensitive information to aide in subsequent attacks.
Note that this plugin is not limited to testing for known vulnerabilities in a specific set of web servers.
Instead, it attempts a variety of generic directory traversal attacks and considers a product to be vulnerable
simply if it finds evidence of the contents of '/etc/passwd' or a Windows 'win.ini' file in the response. It may,
in fact, uncover 'new' issues, that have yet to be reported to the product's vendor.
I have made the fhgfs-admon server only available on localhost to mitigate this but wanted to report it here.
Thank you.
Sven Breuner
Jan 15, 2014, 11:38:10 AM1/15/14
to fhgfs...@googlegroups.com, Glenn
hi glenn,
thanks for your report.
i haven't verfied the issue yet, but i have created an internal ticket
for further investigation.
i guess it's too late to mention, but anyways: i think it's generally a
good idea to first report potential security concerns to the maintainers
(that would be sup...@fhgfs.com in this case) and give them some time
to verify/update before publishing ;-)
if it helps in the meantime: it's also possible to run the fhgfs-admon
daemon as a non-root user to reduce its privileges.
best regards,
sven
thanks for your report.
i haven't verfied the issue yet, but i have created an internal ticket
for further investigation.
i guess it's too late to mention, but anyways: i think it's generally a
good idea to first report potential security concerns to the maintainers
(that would be sup...@fhgfs.com in this case) and give them some time
to verify/update before publishing ;-)
if it helps in the meantime: it's also possible to run the fhgfs-admon
daemon as a non-root user to reduce its privileges.
best regards,
sven
Glenn Johnson
Jan 15, 2014, 11:54:17 AM1/15/14
to Sven Breuner, fhgfs...@googlegroups.com
Sorry, I thought that list was only for those who had support contracts.
--
Glenn Johnson
Sven Breuner
Jan 16, 2014, 7:37:01 AM1/16/14
to fhgfs...@googlegroups.com, Glenn Johnson
hi glenn,
Glenn Johnson wrote on 01/15/2014 05:54 PM:
> Sorry, I thought that list was only for those who had support contracts.
so for clarification let's say sup...@fhgfs.com is just a general way
to report something to the fhgfs development team, so there's nothing
wrong with sending a mail like
"i think it would be great if a future version of fhgfs could..." or
"i'm so happy with fhgfs, because..." or
"i found out that fhgfs has a problem with..." etc
to this address.
(so mails to sup...@fhgfs.com simply generate a ticket in our support
system; it's not some kind of mailing list for supported customers, if
that was a misunderstanding.)
of course, how we then internally proceed and handle/prioritize/react on
incoming reports (e.g. whether we immediately call our wifes to let them
know that it's gonna be a long night for the team, because we need to
change something in the code asap ;-) ), depends on whether you have a
support contract or not.
best regards,
sven breuner
fraunhofer
Glenn Johnson wrote on 01/15/2014 05:54 PM:
> Sorry, I thought that list was only for those who had support contracts.
to report something to the fhgfs development team, so there's nothing
wrong with sending a mail like
"i think it would be great if a future version of fhgfs could..." or
"i'm so happy with fhgfs, because..." or
"i found out that fhgfs has a problem with..." etc
to this address.
(so mails to sup...@fhgfs.com simply generate a ticket in our support
system; it's not some kind of mailing list for supported customers, if
that was a misunderstanding.)
of course, how we then internally proceed and handle/prioritize/react on
incoming reports (e.g. whether we immediately call our wifes to let them
know that it's gonna be a long night for the team, because we need to
change something in the code asap ;-) ), depends on whether you have a
support contract or not.
best regards,
sven breuner
fraunhofer
Sven Breuner
Feb 13, 2014, 7:18:47 AM2/13/14
to fhgfs...@googlegroups.com, Glenn
Hi Glenn,
the problem should be resolved with the fhgfs version 2012.10-r13
update, which is now available on fhgfs.com
Best regards,
Sven Breuner
Fraunhofer
the problem should be resolved with the fhgfs version 2012.10-r13
update, which is now available on fhgfs.com
Best regards,
Sven Breuner
Fraunhofer
Reply all
Reply to author
Forward
0 new messages