Re: [Mifos-developer] Vulnerability with Unrestricted File Uploads

75 views
Skip to first unread message
Message has been deleted

Keith Randall

unread,
Oct 8, 2009, 11:56:38 AM10/8/09
to Mifos software development
There's a more direct security problem with rptdesign files.  They can access the guts of Mifos with javascript and therefore can, for example, apply arbitrary sql to the database.  You don't want to give just anyone permission to upload rptdesign files...

On Thu, Oct 8, 2009 at 12:36 AM, Udai Gupta <mail...@gmail.com> wrote:
Hi,

I was creating module for "Import Transactions" where there is a need
to upload an xls file. when I was referring admin/birt document upload
module (under admin tab) I came to realized that there wasn't any file
size restriction forced in struts configuration. That means any file
(extension replaced as "xyz.rptdesign") of any size can be uploaded.
Which could lead to "Upload huge files - file space denial of service"
attack. So, Now I have placed a global setting "maxFileSize=4MB" which
will avoid any file beyond 4MB to be allowed to be uploaded at any
place in mifos. Now as there are other kind of vulnerabilities that
can be exploited related to file upload.

     - Upload file using malicious path or name - overwrite critical file
     - Upload .exe file into web tree - victims download trojaned executable
     - Upload virus infected file - victims' machines infected
     - Upload .html file containing script - victim experiences
Cross-site Scripting (XSS)

Now, whether we should address these issue depends on the user
policies and trust because uploads are allowed when permissions is
given, but this may vary from organization to organization.

After limiting the file size globally I can think of verifying the
file content (by signature), eg for birt upload its should have
.rptdesign, content and for import transactions it should be xls.

Any comments?

Udai Gupta
Mifos Developer

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Udai Gupta

unread,
Oct 8, 2009, 12:27:58 PM10/8/09
to kei...@alum.mit.edu, Mifos software development
Hi,

> There's a more direct security problem with rptdesign files.  They can
> access the guts of Mifos with javascript and therefore can, for example,
> apply arbitrary sql to the database.  You don't want to give just anyone
> permission to upload rptdesign files...

Yes there are number of ways one can harm the system if he/she has the
birt upload permission. I wouldn't much worry about putting efforts in
securing that upload point if user trust policies can take care of
that, but Are we sure about policies, because some organization have
much trusted Admin and some with little restrictions.

Now the file size is globally limited, it will make sure that any new
module that will be created won't accidentally allow unlimited file
upload that was the case with birt upload. The concern here "Is it
fine to have the 4MB global limit in mifos". Or we want just local
validation for the file size.

Adding better logging can also avoid extra effort as we can make sure
which user is uploading which file.

Udai

Udai Gupta

unread,
Oct 8, 2009, 12:30:15 PM10/8/09
to kei...@alum.mit.edu, Mifos software development
BTW, just for the reference

http://cwe.mitre.org/data/definitions/434.html
http://shsc.info/FileUploadSecurity

Emily Tucker

unread,
Oct 8, 2009, 2:59:47 PM10/8/09
to Mifos software development, kei...@alum.mit.edu
> Yes there are number of ways one can harm the system if he/she has the
> birt upload permission. I wouldn't much worry about putting efforts in
> securing that upload point if user trust policies can take care of
> that, but Are we sure about policies, because some organization have
> much trusted Admin and some with little restrictions.

IMO, given our experience with customers to date-- I think we can trust MFIs to control these permissions carefully. In the future we can think of adding better security, but I don't think it's a priority right now.

Would be great to add "an enhancement" into the issue tracker so we don't forget the idea, though. Thanks for surfacing the issue, Udai!

Emily.

Adam Monsen

unread,
Oct 9, 2009, 6:53:23 PM10/9/09
to Mifos Developer Discussions
Argh, I can't post it either! Here's what I see:
http://img133.imageshack.us/i/posterroryyivxn.png/

On Fri, 2009-10-09 at 22:13 +0530, Udai Gupta wrote:
> Hi Adam,
>
> This it the issue I am trying to post but not working for me
>
>
> Type: Enhancement
>
> Summary: Security enhancement for Unrestricted File Uploads
>
> Description : There is a need of better and more secure file
> validation mechanism in file uploading modules In order to avoid any
> vulnerability related to unrestricted file uploads. The user policies
> takes care for security for these modules because the permission for
> upload given to users for upload are trusted. There can be enhanced
> logging in these area to have record for what file has been uploaded
> by whom.
>
> http://cwe.mitre.org/data/definitions/434.html
> http://shsc.info/FileUploadSecurity
>
> Thanks,
> Udai

signature.asc

Udai Gupta

unread,
Oct 12, 2009, 3:10:00 AM10/12/09
to Mifos software development
Hi,

I have reported this as an issue because I think its might be
something related to content filtering.
https://java-net.dev.java.net/issues/show_bug.cgi?id=696

Udai

Reply all
Reply to author
Forward
0 new messages