Author Topic: Security concern in RSS feature  (Read 7179 times)

Neri

  • Newbie
  • *
  • Posts: 14
    • View Profile
    • Email
Security concern in RSS feature
« on: April 20, 2009, 05:11:05 pm »
The rss link includes the user name and password in a parameter called "token", that turns out to be a serious security problem if the link falls into the hands of another user, because it would give access to the system.

max

  • Jr. Member
  • **
  • Posts: 87
    • View Profile
Re: Security concern in RSS feature
« Reply #1 on: April 20, 2009, 06:24:55 pm »
Which raises question b): Is the login screen safe at all? is the password as it is now being transmitted in an encrypted fashion?

Am I right in assuming that using https would solve Problem b) but not the problem of the unsafe rss connection?

What else can we do against it?

Neri

  • Newbie
  • *
  • Posts: 14
    • View Profile
    • Email
Re: Security concern in RSS feature
« Reply #2 on: April 21, 2009, 12:01:05 am »
I guess the username and password are encrypted in this parameter would be the only explanation for which can log into the system, with only this link

Probably need to change the deep link system, it should be something that forces the user to type the password

I suggest you add a patch immediately to disable the RSS feature, until you can resolve this issue definitively

ignacio

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
Re: Security concern in RSS feature
« Reply #3 on: April 21, 2009, 06:49:19 pm »
Hi. If you use HTTPS there should be no risk. If you don't, your password will be sent in plain text, as well as all your information. If the token falls into another user's hands it will allow him to login as your user, but how can it fall into another user's hands?

Neri

  • Newbie
  • *
  • Posts: 14
    • View Profile
    • Email
Re: Security concern in RSS feature
« Reply #4 on: April 23, 2009, 01:51:49 am »
The problem is not falling, or not in the hands of a user,.. the main problem is the link itself, ...involves a breach of security, should be considered at least as risky, especially is so simple to copy .. . I think that would sit on the pc with a coworker and copy your rss links, in addition, the system never warns about  private data  included in the rss link, therefore, a dummy user can share this link, without considering the risk.
I discuss this issue with ten or fifteen programmers coworkers, and all believe it is a serious security hole... does anyone think the same?

Pet

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 638
  • Always mining for solutions!
    • View Profile
    • The Bet!
Re: Security concern in RSS feature
« Reply #5 on: April 23, 2009, 03:10:40 am »
I can copy this rss string with the token, paste it into a browser on another computer, and suddenly I am logged in.  If someone else did this, they would have full access to my administrative console.

I too am somewhat surprised that this is how this works.  Although the risk of someone getting on my machine to copy this link is the same likelihood as them getting on my machine to retrieve passwords or financial information (read: very difficult), it is still potentially dangerous for those who do not take elementary precautions (which means 95% of the general public unfortunately).

The argument can be made that you cannot take every precaution and completely protect unwitting users.

I'm just wondering why a different system for RSS feeds wasn't chosen?  ie instead of logging in, retrieve the results of a publicly available status page.

Also, added a feature request that would help to some extent if implemented.

cheers
« Last Edit: April 23, 2009, 03:18:51 am by Pet »
Support OpenGoo - Sponsor a Feature! | Follow me on Twitter | OG Support Chat | Did you turn debugging on?

ignacio

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
Re: Security concern in RSS feature
« Reply #6 on: April 23, 2009, 10:11:20 am »
The RSS feed works like that because we used what was already implemented in activeCollab. We could change how the RSS feed works, using HTTP authentication or Atom with authentication , but the problem would persist: if someone can access your PC he/she can access your cookies and so you will be in greater trouble.

The suggestion of asking for the password before entering the Administration section is a good one to reduce risks. What other suggestions do you have?

ignacio

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
Re: Security concern in RSS feature
« Reply #7 on: April 23, 2009, 10:32:59 am »
Update: Corrected the problem described by Pet with which you can login by accessing the RSS feed through your browser.

A suggestion: A config option to enable RSS feeds describing the risks with it, which would be disabled by default. What do you think?

Neri

  • Newbie
  • *
  • Posts: 14
    • View Profile
    • Email
Re: Security concern in RSS feature
« Reply #8 on: April 23, 2009, 11:06:39 am »
I think that should be disabled by default, and should have a warning notice that the link is for personal use, and should not be distribute to another people.

Pet

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 638
  • Always mining for solutions!
    • View Profile
    • The Bet!
Re: Security concern in RSS feature
« Reply #9 on: April 23, 2009, 12:25:21 pm »
There are always some risks, but awareness is half the battle  ;)
Support OpenGoo - Sponsor a Feature! | Follow me on Twitter | OG Support Chat | Did you turn debugging on?

bayonian

  • Newbie
  • *
  • Posts: 32
    • View Profile
Re: Security concern in RSS feature
« Reply #10 on: April 24, 2009, 05:09:37 am »
As the time being RSS feature should be disabled by default. We can't afford any risk as you can share the RSS link with other people.  :(

How would I manually disable the RRS feature ?

Thank you.

ignacio

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
Re: Security concern in RSS feature
« Reply #11 on: April 27, 2009, 10:25:47 am »
To disable the link you have to do the following:

1) Remove line 39 from 'application/layouts/website.php':
Code: [Select]
<link rel="alternate" type="application/rss+xml" ...
2) Remove line 93 from 'application/views/dashboard/widget_dashboard_info.php':
Code: [Select]
<tr><td colspan="2"><a target="_blank" class="link-ico ico-rss" ...

bayonian

  • Newbie
  • *
  • Posts: 32
    • View Profile
Re: Security concern in RSS feature
« Reply #12 on: April 27, 2009, 10:57:27 pm »
2) Remove line 62 from 'application/views/dashboard/widget_dashboard_info.php':

Code: [Select]
<tr><td colspan="2"><a target="_blank" class="link-ico ico-rss"
href="<?php echo get_url('feed''project_activities',
 array(
'id' => logged_user()->getId(), 
'token' => logged_user()->getTwistedToken(), 
'project' => $project->getId())) ?>
">
<?php echo lang("recent project activities feed"
clean($project->getName()))?>
</a></td></tr>

Thanks.

P.S : There should be a forum section to discuss the security issue of the Open Goo because it is not a general discussion.
« Last Edit: April 27, 2009, 11:10:58 pm by bayonian »

Neri

  • Newbie
  • *
  • Posts: 14
    • View Profile
    • Email
Re: Security concern in RSS feature
« Reply #13 on: April 28, 2009, 11:55:09 pm »
Thank you very much Ignacio!.   :D

I agree with Bayonian, should have a section to discuss security issues.