Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Regarding Two Security Holes in Scoop

By ray eckson in Technology
Sat Sep 08, 2007 at 02:43:18 AM EST
Tags: meta, k5, security, xss, zero-day (all tags)
k5

As per suggestions contained in the FAQ:

Herein lies a report of two identified and as-of-yet uncorrected security flaws in Scoop.  Enough detail will be provided to assist admins in investigating and correcting the flaws, but it is the author's hope that the details of the flaws will be sufficiently obscured to prevent abuse by the undesirables.

Executive summary:

Through the exploitation of various unchecked privileged operations, attackers may be able to perform admin-level actions leading to data loss.  Additionally, well-intentioned security measures combined with XSS vulnerabilities can be exercised to simulate admin-level action, resulting in data loss.


  • Unchecked admin-level operations

Definition - "admin-level operation": Any action that enables a user to perform privileged operations on data that is not their own.  An example: deleting others' comment ratings/diaries/comments/submissions.  

The flaw: Certain operations*, performed by an non-admin user that should be allowable on a non-admin user's own data, are also allowed on others' data.  No checking of data ownership or admin status is done to prevent the operation.

* Operation(s) in question is not disclosed due to abuse potential.  Precise location of vulnerabilities will be emailed to help@kuro5hin.org.

Suggested approach towards a solution:



  1. Confirm expected HTTP method.  If your form is submitting a POST, have your processing code confirm that the request came in as a POST.  If not, reject the action.  This solution is applicable across many classes of vulnerabilities, and is a good general security practice.


  2. For privileged actions, check user status.  Is the user the owner of the data in question?  If not, does the user have adequate admin status to perform the action?


  3. Code obfuscation.  If you have a 'delete foo' operation, don't make the URL for the operation ?op=admin&cmd=deletefoo&fooid=2.  This also holds true for cookie values, form names, and any number of other data points.  Obfuscation will deter most casual attackers and inconvenience the determined.

  4. Log all privileged action attempts.  While this won't prevent attacks, it will make identifying them as they occur much easier.


  • Pseudo-admin attacks with XSS


Definition - "cross-site scripting (XSS)": A flaw in web application development that enables an attacker to inject malicious javascript code.

The flaw: Certain features of scoop, designed to prevent abuse (crapflooding), when combined with cross-site scripting, can enable an attacker to simulate admin functionality*.  This leads to data loss.

* Details omitted due to abuse potential.  A full description will be sent to help@kuro5hin.org.

Suggested approach towards a solution:



  1. Filter out XSS-enabling HTML elements.  At an application level, filter out all user input that contains HTML that enables javascript injection.  This includes but is not limited to <, > , " and ' elements.  Care should be taken to also filter out the URL-encoded versions of these elements.  These elements can be safely displayed as their respective HTML entities.


  2. Disable automatic data-loss responses to user input.  If a user can cause data loss through their actions*, an XSS attacker can force others to cause data loss against their will.

    * Full details to be sent to help@kuro5hin.org

It is the author's hope that sufficient care has been taken to prevent this advisory from becoming a source of abuse for attackers.  Please also feel free to use this submission as a bug report / security flaw report forum.

Thank you for your attention.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Scoop
o Kuro5hin
o FAQ
o Also by ray eckson


Display: Sort:
Regarding Two Security Holes in Scoop | 54 comments (46 topical, 8 editorial, 0 hidden)
+1 fp (3.00 / 3) (#1)
by circletimessquare on Thu Sep 06, 2007 at 01:18:01 PM EST

does this mean that we won't repeat the disappearance of that anti-israel story from last year?

or at least have some way to revive a delete? hell, all you need is access to a browser cache to do that

what else has been mysteriously wiped from k5 due to outside actors with xss mojo?

and who knew mossad has the time to haxx0rs k5?


The tigers of wrath are wiser than the horses of instruction.

regarding reviving a delete (3.00 / 2) (#7)
by ray eckson on Thu Sep 06, 2007 at 01:54:25 PM EST

it is trivial for an admin to do


wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]
well yeah, but they didn't do it (none / 1) (#8)
by circletimessquare on Thu Sep 06, 2007 at 01:56:56 PM EST

an entire story voted up, with dozens of comments attached

mossad or whomever comes along, uses the methods you mention above, and wipes the story out

and forevermore, it is gone


The tigers of wrath are wiser than the horses of instruction.

[ Parent ]

email help@k5 with the sid (none / 1) (#9)
by ray eckson on Thu Sep 06, 2007 at 01:57:21 PM EST




wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]
ancient battle, long lost (none / 1) (#14)
by circletimessquare on Thu Sep 06, 2007 at 02:12:12 PM EST

the stuff disappeared like a fart in the wind and the admins haven't said a craplet about it

The tigers of wrath are wiser than the horses of instruction.

[ Parent ]
I remember hearing that (3.00 / 3) (#40)
by blackbart on Thu Sep 06, 2007 at 07:09:31 PM EST

backups were too infrequent to catch the deleted article.

"I use this dupe for modbombing and impersonating a highly paid government worker"
- army of phred
[ Parent ]

mossad lol (3.00 / 2) (#43)
by Blond Treehorn Thug on Fri Sep 07, 2007 at 12:11:43 AM EST



I am amused by the simplicity of this game. Bring me your finest meats and cheeses.
[ Parent ]
speaking of Hung Fu (none / 1) (#45)
by nostalgiphile on Fri Sep 07, 2007 at 01:45:12 AM EST

where the hell has that guy been?

"Depending on your perspective you are an optimist or a pessimist[,] and a hopeless one too." --trhurler
[ Parent ]
hung fu was a fucking partisan idiot (none / 1) (#47)
by circletimessquare on Fri Sep 07, 2007 at 09:42:08 AM EST

but he doesn't deserve to have his stories deleted. no one deserves that

The tigers of wrath are wiser than the horses of instruction.

[ Parent ]
Details omitted due to abuse potential (3.00 / 8) (#4)
by gndn on Thu Sep 06, 2007 at 01:39:18 PM EST

You coward. The fastest way to get a fix would be to post the full exploit along with sample code. The site would to go absolutely apeshit for a few days which would (presumably) force someone to get off their ass and do something about it.

thats irresponsible (2.66 / 3) (#6)
by ray eckson on Thu Sep 06, 2007 at 01:50:49 PM EST

and I'm not interested in being liable for the k5 going apeshit episode.

you have a browser and notepad; go script kiddy on your own dime


wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]

You could have just sent an email (none / 0) (#12)
by gndn on Thu Sep 06, 2007 at 02:07:36 PM EST

but you instead dumped an article into the queue for general consumption. Anyone with a reasonable amount of skill and a healthy dose of curiosity could take it from there, so you're already liable (in my opinion) if k5 does go apeshit. If you're going to disclose the existence of a vulnerability publicly, you might as well go whole hog and disclose the whole thing.

[ Parent ]
shorter gndn: (none / 1) (#16)
by ray eckson on Thu Sep 06, 2007 at 02:31:55 PM EST

"I dun know how to code, but I do know how to whine!  WHIIIINE!"


wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]
not much of a coder huh? nt (none / 0) (#20)
by circletimessquare on Thu Sep 06, 2007 at 04:13:57 PM EST



The tigers of wrath are wiser than the horses of instruction.

[ Parent ]
Don't shit where you eat. /nt (none / 0) (#22)
by gndn on Thu Sep 06, 2007 at 04:26:43 PM EST



[ Parent ]
and lo (none / 0) (#23)
by circletimessquare on Thu Sep 06, 2007 at 04:38:18 PM EST

gndn walked right up to the festering rotten lair of the troll circletimessquare, and began lecturing the troll on avoiding filthy eating habits

this confused the troll. was this some sort of clever defense?

circletimessquare couldn't understand how the comment was a defense, so he shrugged, picked gndn up, and shoveled the little moron into his belly

as he belched, finally circletimessquare understood his prey's joke: hey, if you are going to be eaten, why not make humorous ironic commentary about your fate?

the troll laughed and went on his merry way, glad that the prey folk of k5 were developing a self-deprecating sense of humor


The tigers of wrath are wiser than the horses of instruction.

[ Parent ]

What are you on, boy? (3.00 / 2) (#24)
by gndn on Thu Sep 06, 2007 at 04:47:54 PM EST

You were trying to goad me into attacking k5, which wouldn't benefit me in any way, and in fact would only serve to irritate me if the site were to go down, since I spend/waste so much time here. Don't shit where you eat, don't bite the hand that feeds you, don't go all script kiddie on one of your favourite time-wasting websites. Mister ray "nearly nullo" eckson probably wouldn't care too much, which is why I'm surprised he didn't just go for it rather than pussyfooting around with this "details omitted" crap.

[ Parent ]
YES (none / 1) (#25)
by circletimessquare on Thu Sep 06, 2007 at 05:04:20 PM EST

FEED ME


The tigers of wrath are wiser than the horses of instruction.

[ Parent ]
Bah, you suck. /nt (none / 1) (#28)
by gndn on Thu Sep 06, 2007 at 05:07:16 PM EST



[ Parent ]
yes, i do suck. took you awhile to figure it out n (none / 0) (#29)
by circletimessquare on Thu Sep 06, 2007 at 05:11:03 PM EST



The tigers of wrath are wiser than the horses of instruction.

[ Parent ]
At least you admit it. /nt (none / 1) (#30)
by gndn on Thu Sep 06, 2007 at 05:11:34 PM EST



[ Parent ]
said the trollfodder in the thread w/ the troll nt (none / 0) (#32)
by circletimessquare on Thu Sep 06, 2007 at 05:23:07 PM EST



The tigers of wrath are wiser than the horses of instruction.

[ Parent ]
YES (3.00 / 2) (#33)
by gndn on Thu Sep 06, 2007 at 05:25:26 PM EST

FEED ME - THE TROLLFODDER HATH BECOME THE TROLL

[ Parent ]
BURP (none / 0) (#34)
by circletimessquare on Thu Sep 06, 2007 at 05:27:05 PM EST

BELCH

WELCOME TO ULTIMATE ENLIGHTENMENT FRIEND

http://www.kuro5hin.org/story/2007/8/2/141114/4704

The tigers of wrath are wiser than the horses of instruction.

[ Parent ]

AH HA HA HA FEED ME MORE! (3.00 / 2) (#36)
by gndn on Thu Sep 06, 2007 at 05:34:24 PM EST

MORE I SAY!

[ Parent ]
ohh shiii (none / 1) (#13)
by Redcatblack on Thu Sep 06, 2007 at 02:08:06 PM EST

he'sa callin you out

[ Parent ]
so we can all watch him get banned .nt (none / 0) (#44)
by nostalgiphile on Fri Sep 07, 2007 at 01:44:14 AM EST



"Depending on your perspective you are an optimist or a pessimist[,] and a hopeless one too." --trhurler
[ Parent ]
where have you been {[nt (none / 1) (#11)
by Stick Apart on Thu Sep 06, 2007 at 02:04:51 PM EST


-------
> "I think it could easily be around 200 million people dead because of gun control." - V

SUPPORT A TEXT-FRIENDLY INTERNET

here and there. (none / 1) (#15)
by aphrael on Thu Sep 06, 2007 at 02:15:52 PM EST



[ Parent ]
Durr. (none / 1) (#17)
by Scott Robinson on Thu Sep 06, 2007 at 02:34:38 PM EST

Somewhere there is a GET / POST URL that causes issues.

Somewhere HTML wasn't filtered properly.

Two sentences, kthx.

I will be disappointed (3.00 / 3) (#18)
by some nerd on Thu Sep 06, 2007 at 03:05:40 PM EST

if we don't soon see fp articles on dKos about how Iraq is actually improving, Bush isn't really such a bad president etc.

--
Home Sweet Home

Maybe not (none / 1) (#50)
by ubernostrum on Sat Sep 08, 2007 at 04:20:45 AM EST

It's been a while since I was doing any work in the Scoop world, but at the time it was fairly common knowledge that dKos runs a heavily-modified codebase.




--
You cooin' with my bird?
[ Parent ]
hey: where did the aphrael comments go? (none / 1) (#35)
by circletimessquare on Thu Sep 06, 2007 at 05:30:18 PM EST

is this some sort of meta commentary on the methods described by the story to delete the guy's comments?

The tigers of wrath are wiser than the horses of instruction.

not afaik (none / 0) (#37)
by ray eckson on Thu Sep 06, 2007 at 05:55:43 PM EST




wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]
i said something i probably shouldnt have (none / 1) (#52)
by aphrael on Mon Sep 10, 2007 at 05:09:54 PM EST

so i removed them.

[ Parent ]
self-censorship is great (3.00 / 1) (#53)
by ray eckson on Mon Sep 10, 2007 at 06:49:27 PM EST

it saves the totalitarians the effort


wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]
a better place to get 'proper' attention abou this (3.00 / 3) (#38)
by sye on Thu Sep 06, 2007 at 06:03:22 PM EST

scoop.kuro5hin.org queue.

just to give you my 2 cents

~~~~~~~~~~~~~~~~~~~~~~~
commentary - For a better sye@K5
~~~~~~~~~~~~~~~~~~~~~~~
ripple me ~~> ~allthingsgo: gateway to Garden of Perfect Brightess in CNY/BTC/LTC/DRK
rubbing u ~~> ~procrasti: getaway to HE'LL
Hey! at least he was in a stable relationship. - procrasti
enter K5 via Blastar.in

read the FAQ link (none / 0) (#39)
by ray eckson on Thu Sep 06, 2007 at 06:44:04 PM EST

but you're correct, there are certainly other venues of communication for this.

I also CC'ed the scoop devleopers' list.


wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]

+1 FP, Sye. nt (none / 0) (#41)
by toki on Thu Sep 06, 2007 at 07:10:56 PM EST



[ Parent ]
Sorry, 'sye'. nt (none / 0) (#42)
by toki on Thu Sep 06, 2007 at 07:13:30 PM EST



[ Parent ]
-1, boo hoo web monkey fucknut bullshit$ (none / 0) (#46)
by GrubbyBeardedHermit on Fri Sep 07, 2007 at 03:39:04 AM EST


GBH

I'm not upset about it (none / 0) (#49)
by ray eckson on Fri Sep 07, 2007 at 05:34:25 PM EST

I'm informing the scoop community at large


wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]
with full commentary please -nt (none / 1) (#48)
by Repost To Diary If It Gets Dumped on Fri Sep 07, 2007 at 02:11:28 PM EST



Section is better than FP (none / 1) (#51)
by ray eckson on Sat Sep 08, 2007 at 10:37:37 PM EST

i just need a URL to email to folks so they know where to get more details


wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]
And while you're at it (none / 0) (#54)
by ksandstr on Mon Nov 05, 2007 at 01:38:17 PM EST

Fixing the POST things I mean, stick a hidden input field in the form while you're at it. Generate these values in a database table and expire them after a day or so, make them user specific and delete-on-use. Or just produce them from a user-specific salt value (like SYN cookies) to reduce database grind.

This stops trivial cross-site request forgeries. I don't know what you'd use a cross-site request forgery for on K5 though, but I suppose someone's gonna think of a way to do it anyway... (also, I haven't at all checked whether this sort of thing is actually used on K5 already, since my goddamn idiotic browser seems to insist on viewing source in Abiword. assume I'm talking out of my arse as usual.)

Fin.

those are what k5 calls formkeys (none / 0) (#55)
by ray eckson on Mon Nov 12, 2007 at 01:34:01 PM EST

and they can be defeated with DOM crawling.  


wampsy: hey ray why don't you start up a site. you could call it ray5.
rusty: I gotta fix that stupid cancel bug.
booger: How's that for daring to get ray eckson all sniffy, you cow?
poopy: Not that I'm gay or anything, but for you I might make an exception.
[ Parent ]
Regarding Two Security Holes in Scoop | 54 comments (46 topical, 8 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!