Microsoft has released a fix for the ASP.NET vulnerability that we discussed last week. You should download and install the fix as soon as possible. Keep in mind that the fix will not be available via Windows Update immediately, so you should install it manually.
Archive for the ‘Security’ Category
ASP.NET Vulnerability Fix Released
September 29th, 2010 by Dario Solera | No Comments | Filed in SecurityASP.NET Security Flaw Workaround
September 19th, 2010 by Dario Solera | 2 Comments | Filed in SecurityThere has been quite some noise around the recently disclosed security issue in ASP.NET. While the issue is real and potentially dangerous, a fix is not yet available as of this writing, but Scott Guthrie posted a rather clever workaround on his blog. Without delving into much detail, the problem is that ASP.NET or applications might leak details about the errors that occur (most specifically the exception and the stack trace). Using such data and a brute force attack, an attacker would be able to decrypt data contained in ASP.NET’s cookies and/or ViewState (most specifically identifying the encryption algorithm and key). That’s bad, because a number of exploits could be possible in such condition.
Just in case you are wondering, with the default configuration (pre-workaround), in absolutely no case ScrewTurn Wiki leaked information about any error occurred, so it already included some kind of mitigation about this specific issue. At any rate, we applied the workaround to ScrewTurn Wiki, so make sure to download and install version 3.0.4.560.
If you are using the Web Platform Installer, well you’ll have to wait until Microsoft approves the update (that usually takes a couple of weeks). Alternatively, you can update the application manually, very much like it’s a regular instance. If you need help, just ask help in our forum.
Update (2010/09/21): sorry, I forgot to mention that you should also update your web.config file, making sure that there is the customErrors section.
Active Directory Provider and More
March 9th, 2010 by Dario Solera | 8 Comments | Filed in Community, SecurityI’m very happy to announce that thanks to the hard work of Matt C. and Bill F., we now have an official, fully-supported Active Directory Provider. You can find it in the standard download packages as well as in the source code.
The provider basically works like this: you map AD groups with STW groups, so that every time an AD user accesses the wiki, it is authenticated against Active Directory. The provider copies user’s data locally, most importantly the username, the display name and the email address, while the password is generated randomly. You can even setup the web.config to allow Windows Authentication (when the site is trusted in IE), so your users never have to authenticate manually.
I think it’s a great result, so I renew my thanks to Matt and Bill.
On a side note, ScrewTurn Wiki 3.0 is now available via the Microsoft Web Application Gallery, providing a simple installation experience. You can choose to either install the file-based or SQL Server-based version. It’s been quite hard to get the package right, but I think the result is worth the pain.
On Dumb Crackers
November 12th, 2009 by Dario Solera | No Comments | Filed in Internet, SecurityIt happens that there is an old version of a PHP-based CMS application that is affected by a bug that, if I understand correctly, allows an attacker to alter the content of a part of a site, called snippet.
ScrewTurn Wiki has snippets (but they’re secure).
The funny thing is that we get a ton of attacks that try to apply the same technique used for the above-mentioned CMS to our website because, I think, there is a page called snippets. Crackers are getting dumber I guess…
STW, in such cases, simply crashes as the HTTP query string is a complete mess, so no worries, we fail fast. At any rate, even if the request was well-formed, an attacker cannot bypass the security configuration like she’s doing in the above-mentioned CMS: permissions are checked for every single request, including all post-backs.
ScrewTurn Wiki and Bots
July 20th, 2009 by Dario Solera | 4 Comments | Filed in Internet, SecuritySince early v3 builds, ScrewTurn Wiki has the ability to report errors (exceptions) via email to a designated list of recipients. Well, I constantly get 20 or so notifications a day, all with the same reason: “Validation of ViewState MAC failed”, occurring always for Register.aspx and Login.aspx. These are obviously requests made by bots in the attempt of creating accounts and logging into the wiki. The funny thing is that ASP.NET (WebForms) automatically takes care of this issue: the ViewState information is validated before executing the request, rendering completely useless the automated sign up/login requests. Given that the number of registered users is not increasing much on a daily basis, but more importantly there are no abusive ads in the wiki pages, I think we can safely assume that the CAPTCHA and the ViewState validation completely make ScrewTurn Wiki immune from bots.
On a side note, there is a number of requests that are basically aimed at finding XSS vulnerabilities in the application (the requests throw exceptions due to malformed URLs). So far, there are no new XSS vulnerabilities (there was one in v2, promptly fixed).
Quick Question about ACL Behavior
October 5th, 2008 by Dario Solera | 3 Comments | Filed in Community, Security, Software DesignThe ACL engine is on its way and proceeds quite fast.
I’m writing a lot of unit tests for the code that decides whether or not an action is allowed, because a security breach won’t be easy to spot in a running system. However, I found myself laying out a test for the case in which a user or group has a grant for the root namespace (say, she can edit pages), and no other information is available for a sub-namespace. If namespaces were folders, the permission would be inherited and the user would be allowed to edit pages in the sub-namespace, but namespaces are designed to be more like sub-wikis rather than simple collections of pages. I think they are not semantically nested one into another.
The question is: should permissions be inherited in sub-namespaces from the root namespace? I think they should not, but I’m asking your opinion. The differences in the code are just a few lines, so that is not a problem for once.
Update. After thinking about this problem a little more, and also reading Will’s comment, I think the best option is to inherit permissions from the root namespace. This way ACLs are really an opt-in feature, and administrators don’t have to worry about them if they find the default settings satisfying. Thoughts?
Critical Security Issue
February 8th, 2008 by Dario Solera | No Comments | Filed in SecurityNothing much to say about version 2.0.24, apart from the fact that it fixes a critical security issue that could allow an attacker to save a page without being logged in.
Unfortunately this bug has already been exploited and used in a public wiki, so you surely understand how it’s important to update. However, in the worst case you’d need to rollback the defaced pages to a previous revision.
Version 2.0.24 also adds the Turkish translation (thank you Muhammed).
Notes
September 9th, 2007 by Dario Solera | 2 Comments | Filed in Off-Topic, SecurityI’m just writing down a couple of notes which will be probably useful in future.
Running Subversion as a Windows Service
It’s possible to run Subversion as a Windows Service, using the command-line tool sc.exe:
sc create svn binpath= "\"C:\Path\to\svnserve.exe\" --service -r \"C:\Path\to\repositories\"" displayname= "SVN Service" depend= Tcpip start= auto
Please note that binpath is not the path to the executable, but it’s the whole command line (including svnserve’s arguments). Also, be sure to insert a space between the equal sign and the parameter value. To remove the service, use the command sc delete svn.
Changing the Remote Desktop Port
If you want to use the Remote Desktop (or Terminal Server) service, but get a little more security, you can change the port the service works on. It’s as easy as changing a registry key. Search for the key named PortNumber at the path HKLM\SYSTEM\CurrentControlSet\Terminal Server\WinStations\RDP-Tcp. You can then set the port number you like (the default is 3389).
ACLs Implementation
July 17th, 2007 by Dario Solera | 5 Comments | Filed in Development, Security, UsabilityIt seems that ACLs are a feature that just about everyone wants, so we’re going to implement it in version 2.1. The implementation is described here – note that nothing is carved in stone, so there might be changes. Also, our implementation is not very similar to any other ACL system I’ve ever seen due to compatibility reasons.
The table above summarizes the two types of behavior that the engine implements. For pages, the first table is used (X means that the action is allowed). For namespaces, both the tables are used: the second one tells whether the current user can create new pages. For file upload directories, again both tables are used, and “Read” means “Download”, “Edit” means “Delete or rename” and “Create” means “Upload”.
In all cases, the permissions for objects that are at an inner level have higher precedence. For example, pages permissions “overtake” namespace permissions. A new page, by default, inherits the permissions of the namespace containing it. The same happens for nested namespaces and sub-directories. For now, it’s not possible to set permissions for single uploaded files.
ACLs will be implemented as an additive layer: each object can have a local ACL, which of course has higher precedence than “built-in” permission levels. There will be user groups, with two built-in groups: Users and Administrators. For each object, it will be possible to define which users and groups can read, edit and create new sub-items in the object.
As you can see, ACLs will be optional, so you don’t have to worry about them if you don’t plan to use them. There are still a number of technical problems to resolve, but hopefully they will work fine. Due to the approach we adopted, this feature is in fact quite difficult to implement, so the release date for version 2.1 has been set to “late 2007″. Sorry for that.
New Posts
