Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Automatic Lie Detector | Main | Reminiscences of a 75-Year-Old Jewel Thief »
November 21, 2005
Possible Net Objects Fusion 9 Vulnerability
I regularly get anonymous e-mail from people exposing software vulnerabilities. This one looks interesting.
Beta testers have discovered a serious security flaw that exposes a site created using Net Objects Fusion 9 (NOF9) that has the potential to expose an entire site to hacking, including passwords and log in info for that site. The vulnerability exists for any website published using versioning (that is, all sites using nPower).The vulnerability is easy to exploit. In your browser enter:
http://domain.com/_versioning_repository_/rollbacklog.xmlNow enter:
http://domain.com/_versioning_repository_/n.zip, where n is the number you got from rollback.xml.Then, open Fusion and create a new site from the d/l'ed template. Edit and republish.
This means that anyone can edit a NOF9 site and get any usernames and passwords involved in it. Every site using versioning in NOF9 is exposing their site.
Website Pros has refused to fix the hole. The only concession that they have made is to put a warning in the publishing dialog box telling the user to "Please make sure your profiles repository are [sic] stored in a secure area of your remote server."
I don't use NOF9, and I haven't tested this vulnerability. Can someone do so and get back to me? And if it is a real problem, spread the word. I don't know yet if Website Pros prefers to pay lawyers to suppress information rather than pay developers to fix software vulnerabilities.
Posted on November 21, 2005 at 12:31 PM • 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Roy Owens • November 21, 2005 1:39 PM
I once discovered on a Sun Unix system that I could unzip a file I had no 'rwx' privileges to, and the upshot was that I owned the unzipped file.
This proved useful for removing obsolete files from shared areas when the owner wasn't available.
Still, it bothers me that I was allowed to do it.
Tim Howland • November 21, 2005 2:00 PM
Google doesn't seem to return any hits for "_versioning_repository_/rollbacklog.xml" or just rollbacklog.xml - this suggests one of two things:
1) Nobody anywhere on the internet ever wrote a document named "rollbacklog.xml" that google indexed (an infinite number of monkeys, but still a finite amount of time...)
or
2) Google has been persuaded to block queries for this vulnerability until the manufacturer can fix it....
Woody • November 21, 2005 2:18 PM
@Tim
3) NOF9 is using a robots.txt file to ensure that those files don't get added to the searches.
If you knew a search string to locate NOF9-based sites, then you could generate the list of sites, and then ask each site for the above files.
Or...
4) No one actually uses NOF9...
Gary • November 21, 2005 2:50 PM
I don't think NOF 9 has been out that long, hence hard to find.
This vulnerability seems to be on so many levels - publishing the site versioning repository to the web, but mostly storing the credentials with the repository.... NOF seems like a single-user kind of product, not a distributed authorship product. I can see storing the versions server side (optionally), but storing the saved credentials too? That's beyond "vulnerability" - that's just dunderheaded.
Dan • November 21, 2005 2:58 PM
Yeah, based on a few google searches, there doesn't seem to be any sites running version 9 at all. Too bad, I would've liked to have a go at this.
Josh • November 21, 2005 9:17 PM
@Bruce
You should be careful about your comment "I don't use NOF9, and I haven't tested this vulnerability. Can someone do so and get back to me?".
Judging by the comments above, it seems some people have interpreted your request for a "test" as a request to "crack" a live Internet site. :)
Dan • November 22, 2005 2:01 PM
Well, that's not my intention, anyway. At least not until the point it's obvious that's what it will take to get a proper response from the company that publishes something like that...
Juha-Matti Laurio • November 23, 2005 10:09 AM
This issue was assigned as a vulnerability advisory today at
http://secunia.com/advisories/17667/
Secunia's recommendation is to "store the profiles repository in a non-web accessible directory".
Juha-Matti Laurio • November 23, 2005 8:03 PM
This is http://www.frsirt.com/english/advisories/2005/... and http://www.securityfocus.com/bid/15542 too including this blog entry as reference.
Chris • December 2, 2005 2:27 AM
Your posting is wrong, the company behind NetObjects did indeed address the issue. Although the feature was targeted at Designers who ought to protect those files anyhow, or at least publish them above root.
An update was released on 16 of November, which is before your post. So whoever was feeding you anonymous news was a little bit out of date.
Juha-Matti Laurio • December 9, 2005 8:52 PM
Bruce, is this worth of contacting security companies that their advisories see listed NetObject as vulnerable (see Chris's opinion and information)? Three advisory URLs mentioned at my previous comments.
Juha-Matti Laurio • February 18, 2006 1:28 PM
It seems that two security companies has updated their advisories.
Secunia list this issue as patched and says
"Solution:
Apply Update #1 and store the files outside a web accessible directory."
FrSIRT has the same solution. SecurityFocus lists no 'Not Vulnerable' product versions yet.
I have informed them with new information today.
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments