Re: [misterhouse-users] security (was: linksys)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

> Please don't be the first person to discover a security hole when your 
> machine becomes "owned" by someone else!

Actually I've already found two so far:

 - Chris Barrett fixed a security issue with web/bin/browse.pl
 - Chris Barrett noticed that a mh.ini entry of password_allow_clients = 
1.2.3.4 would allow clients of 1.2.3.41 through. We fixed the regular 
expression test so it is now anchored, so if you had an entry like 
192.168.0. you will want to change it to 192.168.0..+

The first was a directory traversal bug that allowed the user to 'cat' any 
file on the system (subject to the permissions of the MH process).  However 
the user had to have been authenticated either as 'family' or 'admin' or 
have come from an authorised IP address so it wasn't too bad.

The second however was a scary one but the circumstances had to be just 
right for it to work.  In my case I was trusting 192.168.0.2 and the inside 
interface of my firewall was 192.168.0.254.  I was using apache on the 
firewall as a reverse proxy and therefore connections from outside my 
network were, as far as MH was concerned, coming from 192.168.0.254.  The 
problem was that the 'is the source IP authorised?' regex in MH was finding 
192.168.0.2 in 192.168.0.254 and as a result all external connections were 
being authorised!

Both have been fixed - the former since 2.89 and the latter since 2.88.  I 
advised Bruce and we fixed them via email.

And for the record, my MH is accessible via HTTP without any other security 
measures - SSH tunnels, VPNs, port knocking, etc.

----- Original Message ----- 
From: "Matthew Williams" <mat...@us...>
To: <mis...@li...>
Sent: Saturday, January 22, 2005 2:25 AM
Subject: Re: [misterhouse-users] linksys

> The problem of exposing MH to an externally accessible port is that not 
> many people have done that (I hope).  This means that there may be unknown 
> vulnerabilities in mh that theoretically might be exploitable by the 
> outside world.
>
> On one hand, it is a good thing that mh is only used by a relatively small 
> community - there's not much interest out there in trying to break it to 
> gain access to a system.  But, this also implies that there are _likely_ 
> to be holes that have yet to be discovered.
>
> Add in to the mix that mh can be extended by just about anyone with a 
> small knowledge of PERL, and new holes can be introduced quite easily.
>
> You need to somehow protect access to mh, either through SSH tunnels, as 
> has been suggested, or something more complex like PPTP or IPsec.  You 
> could even try "port knocking" (do a google search if you are unfamiliar 
> with this approach to access control).
>
> Please don't be the first person to discover a security hole when your 
> machine becomes "owned" by someone else!
>
> Matt