On Fri, Nov 25, 2005 at 03:28:19PM +0000, Steve Fisher wrote:
> From: Kostas Georgiou <[log in to unmask]>
> >
> > You can use PongServlet to port scan machines inside the firewall...
> > http://rgmaserver:8080/R-GMA/PongServlet?servletURL=http://somemachine:25/
> >
> > You can use PongServlet to redirect http calls to hosts inside you
> > firewall....
> > http://rgmaserver:8080/R-GMA/PongServlet?servletURL=http://somemachine:80/cgi-bin/dosomething?user=a&password=b%3F
> >
> > You can cause PongServlet to download big files causing tomcat to
> > run out of memory
> > http://rgmaserver:8080/R-GMA/PongServlet?servletURL=http://www.redhat.com/docs/manuals/dir-server/pdf/ds71cli.pdf%3Fa=
>
> Thanks for this information. Pong was written in rather a hurry to try
> to spot firewall problems on a site as badly configured firewalls have
> a major impact upon R-GMA.
>
> The problems you have identified above seem rather elementary
> programming errors which I am surprised to see in the code.
That is the reason why we need people to review the code from a security
viewpoint. Having closed security lists and keeping everything secret
doesn't help the programmers to learn from each other mistakes either.
> I have copied this e-mail to Linda Cornwall. She looks after grid
> vulnerabilities and will advise you on how to get these concerns
> properly followed up.
>
> It will be going as a bug into our Savannah, however it will not spell
> out the details as Savannah is public.
>
> In fact vulnerabilities should *not* be discussed on the rollout list
> there are procedures for dealing with them.
It is my opinion that a public mailing list *is* the right place to discuss
security problems. Especially ones that don't take more than 5 minutes to
spot, it is naive to think that hackers can not look for bugs on their own.
Cheers,
Kostas
|