[Openstack-operators] Security issue with python-paste library

Andiabes andi.abes at gmail.com
Sat Feb 18 18:40:27 UTC 2012


Hmm, both the tests appear to correctly error out on the server side. It appears as if nessus is complaining that it finds the injected code in the error output.

Swift has a middleware which sanitizes error replies, which I suspect will prevent these false positives [1].
I'm wondering if you se similar issues when you target a swift endpoint (with the middleware in the pipeline)




[1] https://github.com/openstack/swift/blob/master/swift/common/middleware/catch_errors.py


On Feb 17, 2012, at 11:38 PM, Judd Maltin <openstack at newgoliath.com> wrote:

> I can't imagine how the attacks would possibly work.  The GETs and POSTs of this type aren't honored by any storage mechanism on the server side, nor it seems would any context be provided for a client apllication to use those values.
> 
> You should bump up the nessus scan to someone your scan team trusts to articulate how this is likely a false positive.
> 
> But it is a good idea to stay vigilant for access to unauthorized data and DDOS.  I'd like something to drop slow uploaders, for example.
> 
> -judd maltin (CISSP, fwiw)
> 
> On Feb 17, 2012 6:21 AM, "Björn Hagemeier" <b.hagemeier at fz-juelich.de> wrote:
> Hi there,
> 
> I need to expose OpenStack API to the outside world. However, our network security staff refuse to open the requested firewall port, because of the (assumed) vulnerabilities detected by a Nessus scan. The relevant reports can be found below.
> 
> As far as I could see, the issue is not strictly related to OpenStack, but rather the python-paste library or one of its descendants. As python-paste does not mention usable support channels at first sight, I'm resorting to this list for support.
> 
> Has anyone come across any such vulnerabilities yet? Are they real, i.e. do the exploits mentioned in the Nessus reports really work? Any information would be of help.
> 
> I'm running pretty much a vanilla OpenStack Diablo installed from the Ubuntu packages (version 2011.3-0ubuntu6.4). If you need further information, please let me know.
> 
> 
> Thank you very much in advance and
> best regards,
> Björn
> 
> 
> ==================================================
> PORT WWW (8773/TCP)
> 
> Plugin ID: 44135
> Web Server Generic Cookie Injection
> Synopsis
> The remote web server is prone to a cookie injection attack.
> List of Hosts
> 
> zam916.zam.kfa-juelich.de
> Plugin Output
> 
> The request string used to detect this flaw was :
> 
> <script>document.cookie=%22testhucq=8195;%22</script>
> 
> The output was :
> 
> HTTP/1.1 500 Internal Server Error
> Content-Type: text/plain
> Content-Length: 603
> Date: Wed, 15 Feb 2012 09:05:11 GMT
> Connection: close
> 
> 
> [...]
> path_info = self.normalize_url(path_info, False)[1]
> File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, in normalize_url
> "URL fragments must start with / or http:// (you gave %r)" % url)
> AssertionError: URL fragments must start with / or http:// (you gave '<script>document.cookie="testhucq=8195;"</script>')
> 
> Description
> The remote host is running a web server that fails to adequately
> sanitize request strings of malicious JavaScript. By leveraging this
> issue, an attacker may be able to inject arbitrary cookies. Depending
> on the structure of the web application, it may be possible to launch
> a 'session fixation' attack using this mechanism.
> 
> Please note that :
> 
> - Nessus did not check if the session fixation attack is
> feasible.
> 
> - This is not the only vector of session fixation.
> Solution
> Contact the vendor for a patch or upgrade.
> See also
> http://en.wikipedia.org/wiki/Session_fixation
> http://www.owasp.org/index.php/Session_Fixation
> http://www.acros.si/papers/session_fixation.pdf
> http://projects.webappsec.org/Session-Fixation
> Risk Factor
> Medium/ CVSS Base Score: 4.3
> (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
> Plugin publication date: 2010/01/25
> Plugin last modification date: 2011/03/14
> ==================================================
> 
> ==================================================
> PORT WWW (8773/TCP)
> 
> Plugin ID: 10815
> Web Server Generic XSS
> Synopsis
> The remote web server is prone to cross-site scripting attacks.
> List of Hosts
> 
> zam916.zam.kfa-juelich.de
> Plugin Output
> 
> The request string used to detect this flaw was :
> 
> <script>cross_site_scripting.nasl</script>
> 
> The output was :
> 
> HTTP/1.1 500 Internal Server Error
> Content-Type: text/plain
> Content-Length: 596
> Date: Wed, 15 Feb 2012 09:05:10 GMT
> Connection: close
> 
> 
> File "/usr/lib/python2.7/dist-packages/paste/urlmap.py", line 119, [...]
> "URL fragments must start with / or http:// (you gave %r)" % url)
> AssertionError: URL fragments must start with / or http:// (you gave '<s
> cript>cross_site_scripting.nasl</script>')
> 
> 
> Description
> The remote host is running a web server that fails to adequately
> sanitize request strings of malicious JavaScript. By leveraging this
> issue, an attacker may be able to cause arbitrary HTML and script code
> to be executed in a user's browser within the security context of the
> affected site.
> Solution
> Contact the vendor for a patch or upgrade.
> See also
> http://en.wikipedia.org/wiki/Cross-site_scripting
> Risk Factor
> Medium/ CVSS Base Score: 4.3
> (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
> CVSS Temporal Score: 3.6(CVSS2#E:F/RL:OF/RC:C)
> CVE
> CVE-2002-1700
> CVE-2003-1543
> CVE-2005-2453
> CVE-2006-1681
> Bugtraq ID
> 5011
> 5305
> 7344
> 7353
> 8037
> 14473
> 17408
> Other references
> OSVDB:18525
> OSVDB:24469
> OSVDB:42314
> OSVDB:4989
> OSVDB:58976
> CWE:79
> CWE:80
> CWE:81
> CWE:83
> CWE:20
> CWE:74
> CWE:442
> CWE:712
> CWE:722
> CWE:725
> CWE:811
> CWE:751
> CWE:801
> CWE:116
> Vulnerability publication date: 2004/04/09
> Plugin publication date: 2001/11/30
> Plugin last modification date: 2011/03/14
> Ease of exploitability: Exploits are available
> ==================================================
> 
> 
> -- 
> Dipl.-Inform. Björn Hagemeier
> Federated Systems and Data
> Juelich Supercomputing Centre
> Institute for Advanced Simulation
> 
> Phone: +49 2461 61 1584
> Fax  : +49 2461 61 6656
> Email: b.hagemeier at fz-juelich.de
> Skype: bhagemeier
> WWW  : http://www.fz-juelich.de/jsc
> 
> JSC is the coordinator of the
> John von Neumann Institute for Computing
> and member of the
> Gauss Centre for Supercomputing
> 
> -------------------------------------------------------------------------------------
> -------------------------------------------------------------------------------------
> Forschungszentrum Juelich GmbH
> 52425 Juelich
> Sitz der Gesellschaft: Juelich
> Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
> Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
> Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
> Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
> Prof. Dr. Sebastian M. Schmidt
> -------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------------- 
> 
> _______________________________________________
> Openstack-operators mailing list
> Openstack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
> 
> _______________________________________________
> Openstack-operators mailing list
> Openstack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20120218/51711b9a/attachment-0002.html>


More information about the Openstack-operators mailing list