[Mono-bugs] [Bug 77406][Maj] New - Insecure apache configuration allows for direct download of web service assemblies

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Mon Jan 30 12:24:04 EST 2006

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by dana at vulscan.com.


--- shadow/77406	2006-01-30 12:24:04.000000000 -0500
+++ shadow/77406.tmp.31343	2006-01-30 12:24:04.000000000 -0500
@@ -0,0 +1,57 @@
+Bug#: 77406
+Product: Mono: Tools
+Version: 1.1
+OS: other
+OS Details: Debian Unstable
+Status: NEW   
+Priority: Major
+Component: tools
+AssignedTo: mono-bugs at ximian.com                            
+ReportedBy: dana at vulscan.com               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+Summary: Insecure apache configuration allows for direct download of web service assemblies
+Description of Problem: It appears that there may be an insecure by default
+issue in how mono-server-admin writes out the mono-server-hosts.conf file.
+When using Apache with mod_mono, it is possible for an adversary to
+download the web service assemblies without any sort of authentication. In
+my tests on 3 colleague's deployments, due to the fact they did not
+obfuscate their assemblies I was able to get access to their db connection
+strings(including their passwords) by simply referencing their DLLs
+directly via path, through predictable naming conventions.
+Steps to reproduce the problem:
+1. Locate any web service (http://foo.com/AppWebService/App.asmx
+2. Try to download the primary web service assembly using the path
+3. If that doesn't work, try a few other 'predictable' naming conventions
+based on the web service name and the class/method exposed. Using VS.NET
+the web service name defaults to the DLL name. 
+Actual Results:
+Downloaded the DLL.
+Expected Results:
+A 403 Forbidden message sent by Apache
+How often does this happen? 
+Every time
+Additional Information:
+This isn't really a bug in Mono as much as it is a configuration problem
+with Apache. However, since mono-server-admin is writing out the
+mono-server-hosts.conf file, it might make sense to lock it down there.
+One suggestion may be to use the <Files> directive and prevent downloading
+of any file in the bin dir. Another would be to document this as a security
+configuration setting requirement that is needed when using Apache. Either
+way, it is exposing Mono's web services to undue information disclosure
+risk and should somehow be documented to reflect this.
+Feel free to contact me if you need any further information on this.

More information about the mono-bugs mailing list