[Mono-bugs] [Bug 77406][Maj] New - Insecure apache configuration
allows for direct download of web service assemblies
bugzilla-daemon at bugzilla.ximian.com
bugzilla-daemon at bugzilla.ximian.com
Mon Jan 30 12:24:04 EST 2006
Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.
Changed by dana at vulscan.com.
http://bugzilla.ximian.com/show_bug.cgi?id=77406
--- shadow/77406 2006-01-30 12:24:04.000000000 -0500
+++ shadow/77406.tmp.31343 2006-01-30 12:24:04.000000000 -0500
@@ -0,0 +1,57 @@
+Bug#: 77406
+Product: Mono: Tools
+Version: 1.1
+OS: other
+OS Details: Debian Unstable
+Status: NEW
+Resolution:
+Severity:
+Priority: Major
+Component: tools
+AssignedTo: mono-bugs at ximian.com
+ReportedBy: dana at vulscan.com
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL:
+Cc:
+Summary: Insecure apache configuration allows for direct download of web service assemblies
+
+Description of Problem: It appears that there may be an insecure by default
+issue in how mono-server-admin writes out the mono-server-hosts.conf file.
+When using Apache with mod_mono, it is possible for an adversary to
+download the web service assemblies without any sort of authentication. In
+my tests on 3 colleague's deployments, due to the fact they did not
+obfuscate their assemblies I was able to get access to their db connection
+strings(including their passwords) by simply referencing their DLLs
+directly via path, through predictable naming conventions.
+
+
+Steps to reproduce the problem:
+1. Locate any web service (http://foo.com/AppWebService/App.asmx
+2. Try to download the primary web service assembly using the path
+http://foo.com/AppWebService/bin/AppWebService.dll
+3. If that doesn't work, try a few other 'predictable' naming conventions
+based on the web service name and the class/method exposed. Using VS.NET
+the web service name defaults to the DLL name.
+
+Actual Results:
+Downloaded the DLL.
+
+Expected Results:
+A 403 Forbidden message sent by Apache
+
+How often does this happen?
+Every time
+
+Additional Information:
+This isn't really a bug in Mono as much as it is a configuration problem
+with Apache. However, since mono-server-admin is writing out the
+mono-server-hosts.conf file, it might make sense to lock it down there.
+
+One suggestion may be to use the <Files> directive and prevent downloading
+of any file in the bin dir. Another would be to document this as a security
+configuration setting requirement that is needed when using Apache. Either
+way, it is exposing Mono's web services to undue information disclosure
+risk and should somehow be documented to reflect this.
+
+Feel free to contact me if you need any further information on this.
More information about the mono-bugs
mailing list