Re: Vulnerability? Or...not so much?

[David Shettler <dshettle () HOLYCROSS EDU>]

On Sat, Apr 3, 2010 at 11:27 PM, Charles Buchholtz
<chip+educause () seas upenn edu> wrote:

> If you think of the URI as a username/password, you probably already
> have Authentication/Authorization/Accounting standards for this
> situation.  Think of the URI as a guessable part (the "username") and
> a non-guessable part (the "password").

Interesting perspective.  In most cases, with that perspective, it
would meet or exceed most requirements -- though, not brute force
protection, and not centralized, etc.

> A sixty minute password is worse than a one-time pad or two factor,
> but it's better than a password that is changed monthly.  This might
> be better than your normal authentication, or it may be worse.

Indeed.

> There are a couple of issues that are specific to this situation:
>
> 1) The "passwords" may meet your requirements for user chosen
> passwords, but they may be guessable by someone who knows or reverse
> engineers the algorithm.  Besides users of your system who may
> generate many URI's looking for a pattern, you need to worry about
> users of the same application software at other sites.

And the fact that the software is, by many institutions (including
ours until we discovered this), internet accessible.

> 2) What if a future upgrade or patch of the software starts using
> easily guessable URI's?

Thanks for the perspective.  It provides some comfort?  But I'm still concerned.

It's written in java, so, I'm going to force a deeper pen test, and
reverse engineer the class files to see what exactly is going on.
File names generated in the same session only seem to differ by a few
bits, and the epoch change.  I have a feeling the algorithm used may
also be flawed, but time (and effort) will tell.