back to article Adobe gifts internal file permissions to unwashed masses

A scripting error in Adobe's website gave outsiders broad access to internal files on the company's webserver that could prove valuable to malicious hackers trying to penetrate its security. The error, which appeared to reside in a faulty CGI script, allowed people outside Adobe to read and download files entering specially …

COMMENTS

This topic is closed for new posts.
  1. Sabahattin Gucukoglu

    Couple of things ...

    I think you mean "Traversal", not "Transversal". It's a directory traversal attack, because you're using relative paths (EG ../../../etc/passwd) to traverse the filesystem while avoiding most of the common checks done by software to see that they're not being abused (EG paths don't begin with a '/' in order to detect if a filename is given). Even when checks are in place to attempt the resolution of pathnames, they're not always sufficient - see, for instance, the Microsoft Unicode double-escape directory traversal attack in IIS.

    The other issue is considerably more serious, though: what in the name of sodding bloody buggering hell is the webserver doing with access to a key file that ought to be root-owned and that the server ought to have read into memory before dropping the hell away from superuser privileges and certainly before even thinking about accepting queries over the network?

    Cheers,

    Sabahattin

  2. Dan Goodin (Written by Reg staff)

    Sabahattin, you're right

    It's traversal, not transversal, for exactly the reason you state.

    Fixed.

  3. Anonymous Coward
    Anonymous Coward

    before we all start typing ../../

    wasn't UK Security Consultant Daniel Cuthbert arrested & convicted in 2005 for typing something similar that a BT monitoring outfit picked-up, "non-invasive Tsunami site access" ../../ might not be safe at work, or home!

    obvious solution is to use ToR , except that many major ToR nodes are hosted by happy people like...."Major nodes hosted anonymously dedicated to ToR by the same person/organization in Washington DC. Each handling 5-10TB data every month"... so ToR exit skimming is a given....

  4. joe

    7 years?

    Haven't bugs like this been known for a whole lot longer than 7 years?

  5. Anonymous Coward
    Anonymous Coward

    Ooo, should you be publishing that?

    http://www.samizdata.net/blog/archives/008118.html

  6. Mark Allen

    Illegal in Germany

    Remember guys... no doing this trick in Germany. You'll be locked up for "hacking".

    (Too lazy to locate the old El'Reg story on this... it's in there somewhere... :))

  7. Greem

    Self-Signed, eh?

    The certificate is most certainly not self-signed. More interestingly, the cert is in fact a certificate signing certificate - ie. a CA cert - from Verisign.

    The fact that it expired in 2004 seems to have passed a lot of people by, though.

    Still - if the corresponding private key is still being used, then a lot of mischief could happen.

  8. Anonymous Coward
    Anonymous Coward

    ModSecurity

    If they'd installed mod_security (http://www.modsecurity.org/) with the standard rules to prevent directory traversal attacks then this would never have happened, despite the flaw in their application.

    Mike Cardwell

  9. Anonymous Coward
    Anonymous Coward

    Click that link, go to jail

    Directory traversal is a crime in the UK under the Computer Misuse Act of 1990.

    http://www.scl.org/editorial.asp?i=1098

    Careful, the penalties can include jail sentences, and if you get arrested some pompous dick of a police officer will hold a press conference telling everyone that such crimes will not be permitted, and we will send a "strong message to someone about something".

    Mostly it just sends a message how f*cked up the UK is.

    So remember, FORWARD directory traversals are currently not being prosecuted, but BACKWARDS directory traversals ARE BEING PROSECUTED. Be careful to explain that to any children you have, the net is a dangerous place, one click and you can be snatched by the rozzers.

    /name/ is ok unless the folder was intended to be secret

    ../name is definitely a no no unless the website owner explicitly used it in a URL

    ./name is borderline

  10. Stuart Van Onselen

    Trivial fix?

    I'm no security expert, but isn't the fix for this trivial? Run the webserver under a user account that doesn't have access to anything but the web directories and the server binaries.

    That way, the OS security settings are a backstop that will stop badly-written CGI scripts, or anything else, "escaping" the web root.

    Or am I missing something?

  11. Thorin

    Re: Illegal in Germany

    @ Mark Allen

    Looks like the German Gov't is going to have to prosecute itself under its own new "hacking" laws.

    http://blog.fukami.io/archives/2007/09/17/202c-bsi-charged-for-distribution-of-boss/

    "...filed a charge against German <a href="http://www.bsi.de/">BSI</a>. BSI stands for: Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security) and they are the central IT security service provider for the German government. The reason for the charge is BSIs distribution of BOSS (BSI OSS Security Suite), which is basically a Live CD containing Open Source security tools such as Nessus and John the Ripper."

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019