Re: Vulnerability? Or...not so much?

[Steve Werby <smwerby () VCU EDU>]

On 4/3/2010 9:35 PM, David Shettler wrote:
> Unfortunately, the vendor refuses to acknowledge that the problem is a
> security issue, and thus won't remedy it.  Their opinion is that the
> URI randomization, and 60 minute temporary nature of the files is
> sufficient 'security'.
Since the application's users can access the system via an untrusted
network (per your follow-up email) and the URIs could be logged via a
proxy or filtering system, there's a risk that unauthorized users (both
internal and external) could acquire the URIs during the availability
window.  And there are no controls beyond knowledge of the URI to
restrict access.  And of course, there's the risk the URIs could be
guessed, but unless it's mathematically feasible to brute force attack
URIs in a 60 minute window without being detected, I wouldn't focus on that.

>   1) decide that their obscurity is good enough, and re-open access to
> it.  The URI/filename is not predictable at my skill level (portions
> are, but others not), but I'm not exactly a hacker-adept.

Per above, I'd be less concerned with guessing if the random portion of
the URI isn't easy to guess and more concerned that someone could
intercept a valid URI and then access the associated sensitive data
within the 60 minute window.  If you haven't already, you may want to
walk the data owners through specific risk scenarios and explain the
likelihood of exploitation of the vulnerability and the potential
impact.  Who has the capacity to accept risk to sensitive data in your
environment - you?  the data owner? someone else?

Is there every a situation where these files should ever be accessible
during that 60 minute window from an IP address other than the IP
address of the user who led to the files' creation?  If not (or that's
infrequent), perhaps you could implement a system between the user and
the scanning system that logs the relevant URIs and IPs and blocks
access from unauthorized IPs.  I'm assuming the app's code can't be
modified.  Even if there are no hooks into it and it doesn't have
available logs, you should be able to get what's needed from the web
server logs, at least after some configuration tweaks.  This would
reduce the window from 60 minutes to something closer to 0 seconds and
would limit it to attackers coming from the same IP address as the
originator.

--
Steve Werby
Information Security Officer
Virginia Commonwealth University
VCU Information Security - http://infosecurity.vcu.edu/
News, Tips & More - http://www.twitter.com/vcuinfosec
Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf