Educause Security Discussion mailing list archives
Re: Vulnerability? Or...not so much?
From: Steve Werby <smwerby () VCU EDU>
Date: Sun, 4 Apr 2010 10:28:25 -0400
On 4/3/2010 9:35 PM, David Shettler wrote:
Unfortunately, the vendor refuses to acknowledge that the problem is a security issue, and thus won't remedy it. Their opinion is that the URI randomization, and 60 minute temporary nature of the files is sufficient 'security'.
Since the application's users can access the system via an untrusted network (per your follow-up email) and the URIs could be logged via a proxy or filtering system, there's a risk that unauthorized users (both internal and external) could acquire the URIs during the availability window. And there are no controls beyond knowledge of the URI to restrict access. And of course, there's the risk the URIs could be guessed, but unless it's mathematically feasible to brute force attack URIs in a 60 minute window without being detected, I wouldn't focus on that.
1) decide that their obscurity is good enough, and re-open access to it. The URI/filename is not predictable at my skill level (portions are, but others not), but I'm not exactly a hacker-adept.
Per above, I'd be less concerned with guessing if the random portion of the URI isn't easy to guess and more concerned that someone could intercept a valid URI and then access the associated sensitive data within the 60 minute window. If you haven't already, you may want to walk the data owners through specific risk scenarios and explain the likelihood of exploitation of the vulnerability and the potential impact. Who has the capacity to accept risk to sensitive data in your environment - you? the data owner? someone else? Is there every a situation where these files should ever be accessible during that 60 minute window from an IP address other than the IP address of the user who led to the files' creation? If not (or that's infrequent), perhaps you could implement a system between the user and the scanning system that logs the relevant URIs and IPs and blocks access from unauthorized IPs. I'm assuming the app's code can't be modified. Even if there are no hooks into it and it doesn't have available logs, you should be able to get what's needed from the web server logs, at least after some configuration tweaks. This would reduce the window from 60 minutes to something closer to 0 seconds and would limit it to attackers coming from the same IP address as the originator. -- Steve Werby Information Security Officer Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ News, Tips & More - http://www.twitter.com/vcuinfosec Best Practices - http://infosecurity.vcu.edu/docs/infosecbp.pdf
Current thread:
- Vulnerability? Or...not so much? David Shettler (Apr 03)
- <Possible follow-ups>
- Re: Vulnerability? Or...not so much? Jason Testart (Apr 03)
- Re: Vulnerability? Or...not so much? David Shettler (Apr 03)
- Re: Vulnerability? Or...not so much? Charles Buchholtz (Apr 03)
- Re: Vulnerability? Or...not so much? Charles Buchholtz (Apr 03)
- Re: Vulnerability? Or...not so much? Matthew Wollenweber (Apr 03)
- Re: Vulnerability? Or...not so much? Gibson, Nathan J. (HSC) (Apr 03)
- Re: Vulnerability? Or...not so much? Dexter Caldwell (Apr 03)
- Re: Vulnerability? Or...not so much? David Shettler (Apr 03)
- Re: Vulnerability? Or...not so much? Steve Werby (Apr 04)
- Re: Vulnerability? Or...not so much? SCHALIP, MICHAEL (Apr 04)
- Re: Vulnerability? Or...not so much? Vik Solem (Apr 05)