Versions Compared

Old Version 9

changes.mady.by.user Greg Hudson

Saved on

compared with

New Version Current

changes.mady.by.user Janet Riley Bowker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Corrected links that should have been relative instead of absolute.

...

There is no systemic mitigation for these risks other than encouraging the use of virtual domains.  They should be treated as application security issues.  Note that cookie injection is not a problem unique to applications running within the same domain; any attacker controlling content on a foo.mit.edu host can inject cookies into all .mit.edu hosts if the victim applications do not check cookie domains.

3d.

...

Browser security

Browsers treat the protocol, host, and port of a URL as a protection domain, allowing a variety of attacks between multiple content owners within the same domain.  As one example: 

Basic auth is a rudimentary password protection system built into HTTP.  Most web applications do their own password management, but static content is sometimes protected with Basic auth.  Once a user enters a password for a given resource, the browser caches the password, so that the user does not have to reenter it each time the resource is accessed.  A Basic auth resource is identified by the domain part of the URL and a server-provided realm.  In a shared hosting environment, the normal Apache httpd mechanisms for doing Basic auth allow each content owner to pick the realm used for each resource.  An attacker can steal passwords from users of another content owner's resource by choosing the same realm name as the other content owner.

 Mitigation options include:

  • Deny users the ability to use Basic auth; make them use Digest auth instead.  Digest auth does not provide the server with the user's password.
  • Allow users to use Basic auth, but force the realm to include the username as a prefix.
  • Allow Basic auth, but only in the context of a virtual domain.

More research is required to determine which of these options is most feasible.  Note that disabling or restricting the normal Apache auth mechanisms may not be sufficient; it may be possible to circumvent them with CGI scriptsMore generally, Javascript code can be used to attack content owned by someone else using the same domain.  To mitigate these attacks, we should use a separate domain for each content owner.  This can be easily achieved with a wildcard DNS record, so that user sites look like http://mv.ezproxy.com.ezproxy.canberra.edu.au/ instead of http://mv.ezproxy.com.ezproxy.canberra.edu.au/~username.

3e. PHP session hijacking

...

A local root vulnerability could allow a regular user to take control of the entire hosting service, or could allow an attacker who has taken control of a user account (or the apache account) to take control of the entire service.  Recovering from a compromise of this sort would require disrupting the web hosting service, possibly for an extended period of time, while the server is reinstalled and user content is restored from backup.

 Mitigation Mitigation options:

  • Audit the system for setuid programs and remove any unnecessary packages containing them.  Turn off the setuid bit on the remaining setuid programs which don't need to be setuid.
  • Keep the system up to date.
  • Treat kernel security updates as high-priority updates; schedule a reboot to install kernel updates on the evening of the upstream kernel package release at the latest.
  • Use a Linux distribution which closely tracks the upstream kernel.org sources and run a custom-built kernel based on those sources, thus allowing us to apply kernel patches easily.
  • Deploy a clustered environment, allowing individual servers to have their kernels upgraded immediately without a visible service outage.

It may be possible to use SELinux to reduce the likelihood of a local root privilege escalation.  More research is required.

...