[Openstack-operators] Security issue with python-paste library

Björn Hagemeier b.hagemeier at fz-juelich.de
Fri Feb 17 11:21:49 UTC 2012


Hi there,

I need to expose OpenStack API to the outside world. However, our 
network security staff refuse to open the requested firewall port, 
because of the (assumed) vulnerabilities detected by a Nessus scan. The 
relevant reports can be found below.

As far as I could see, the issue is not strictly related to OpenStack, 
but rather the python-paste library or one of its descendants. As 
python-paste does not mention usable support channels at first sight, 
I'm resorting to this list for support.

Has anyone come across any such vulnerabilities yet? Are they real, i.e. 
do the exploits mentioned in the Nessus reports really work? Any 
information would be of help.

I'm running pretty much a vanilla OpenStack Diablo installed from the 
Ubuntu packages (version 2011.3-0ubuntu6.4). If you need further 
information, please let me know.


Thank you very much in advance and
best regards,
Björn


==================================================
PORT WWW (8773/TCP)

Plugin ID: 44135
Web Server Generic Cookie Injection
Synopsis
The remote web server is prone to a cookie injection attack.
List of Hosts

zam916.zam.kfa-juelich.de
Plugin Output

The request string used to detect this flaw was :

<script>document.cookie=%22testhucq=8195;%22</script>

The output was :

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 603
Date: Wed, 15 Feb 2012 09:05:11 GMT
Connection: close


[...]
path_info = self.normalize_url(path_info, False)[1]
File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, in 
normalize_url
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave 
'<script>document.cookie="testhucq=8195;"</script>')

Description
The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to inject arbitrary cookies. Depending
on the structure of the web application, it may be possible to launch
a 'session fixation' attack using this mechanism.

Please note that :

- Nessus did not check if the session fixation attack is
feasible.

- This is not the only vector of session fixation.
Solution
Contact the vendor for a patch or upgrade.
See also
http://en.wikipedia.org/wiki/Session_fixation
http://www.owasp.org/index.php/Session_Fixation
http://www.acros.si/papers/session_fixation.pdf
http://projects.webappsec.org/Session-Fixation
Risk Factor
Medium/ CVSS Base Score: 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
Plugin publication date: 2010/01/25
Plugin last modification date: 2011/03/14
==================================================

==================================================
PORT WWW (8773/TCP)

Plugin ID: 10815
Web Server Generic XSS
Synopsis
The remote web server is prone to cross-site scripting attacks.
List of Hosts

zam916.zam.kfa-juelich.de
Plugin Output

The request string used to detect this flaw was :

<script>cross_site_scripting.nasl</script>

The output was :

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 596
Date: Wed, 15 Feb 2012 09:05:10 GMT
Connection: close


File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, [...]
"URL fragments must start with / or http:// (you gave %r)" % url)
AssertionError: URL fragments must start with / or http:// (you gave '<s
cript>cross_site_scripting.nasl</script>')


Description
The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user's browser within the security context of the
affected site.
Solution
Contact the vendor for a patch or upgrade.
See also
http://en.wikipedia.org/wiki/Cross-site_scripting
Risk Factor
Medium/ CVSS Base Score: 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score: 3.6(CVSS2#E:F/RL:OF/RC:C)
CVE
CVE-2002-1700
CVE-2003-1543
CVE-2005-2453
CVE-2006-1681
Bugtraq ID
5011
5305
7344
7353
8037
14473
17408
Other references
OSVDB:18525
OSVDB:24469
OSVDB:42314
OSVDB:4989
OSVDB:58976
CWE:79
CWE:80
CWE:81
CWE:83
CWE:20
CWE:74
CWE:442
CWE:712
CWE:722
CWE:725
CWE:811
CWE:751
CWE:801
CWE:116
Vulnerability publication date: 2004/04/09
Plugin publication date: 2001/11/30
Plugin last modification date: 2011/03/14
Ease of exploitability: Exploits are available
==================================================


-- 
Dipl.-Inform. Björn Hagemeier
Federated Systems and Data
Juelich Supercomputing Centre
Institute for Advanced Simulation

Phone: +49 2461 61 1584
Fax  : +49 2461 61 6656
Email: b.hagemeier at fz-juelich.de
Skype: bhagemeier
WWW  : http://www.fz-juelich.de/jsc

JSC is the coordinator of the
John von Neumann Institute for Computing
and member of the
Gauss Centre for Supercomputing

-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
-------------------------------------------------------------------------------------
------------------------------------------------------------------------------------- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: b_hagemeier.vcf
Type: text/x-vcard
Size: 409 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20120217/09e14d0c/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6047 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20120217/09e14d0c/attachment-0002.bin>


More information about the Openstack-operators mailing list