Security mindfulness of http links that require authentication

(John Carroll) #1

Hey, I just installed Discourse, I love it :slight_smile:

one of the things I noted to the guys at bugcrowd (they use it on their forum) is that when you allow a user to reference external material such as an image from a url you cannot be sure that that link wont be abused

consider you allow and spongebob is mischievous, he could apply folder level authentication to the path of the file such as basic auth or httpntlm to the /squarepants/ folder and the discourse application would be none the wiser as it’s only looking at the protocol and the approved extension,

Trusted hosting locations would be nice
or just allowing upload only

disabling ‘hot-linking’

(Jeff Atwood) #2

Yes but this is standard and true of any website that allows images from external sites. The image could be changed to something extremely repulsive, etc. For that matter you could upload your own image that is extremely repulsive.

This is standard Internet and browser linking practice, so all the standard disclaimers apply. If this is a problem with links here, it is a problem everywhere.

(John Carroll) #3

You’re absolutely right… for those sites/developers that support it are unaware than in some cases you can steal someone’s windows credentials (and host name) without the end user being aware (HTTPNTLM) or Basic Auth allowing an opportunity to phish

I’ve seen this in a lot of web-applications and around 70% of the bugcrowd submissions they have acknowledged the threat/risk and remediated

and your not the first person to say it’s a problem here it’s a problem everywhere

it’s acceptable risk to you that’s cool, but not something i’d like to be exposed to when hosting a forum …knowing my shifty friends/ and generally untrusted internet)

fwiw: worst case example

(Kane York) #4

Okay, so I watched the video, and this seems like something you could do from the gallery comments on, as well as every single other forum, and anything else that allows image hotlinking.

The vulnerability is that the attacker gets a user to issue a GET to a malicious HTTP server, which requests some form of authentication. If the user’s browser is configured incorrectly, it can automatically provide their Windows password, or the browser will generate a dialog that looks like it belongs to the operating system instead of a 3rd-party website.

The comment about “folder level authentication” is irrelevant.

However, I believe that Discourse does offer a mitigation for this - the server can download the images locally and serve them from there, in which case there is a limited period of time for an attacker to get other users to connect to the malicious HTTP server. The attacker also gains the IP address of your Discourse server, which was… erm… already public.

(John Carroll) #5

Hey Riking

no, my comment about "folder level authentication’ is relevant, it’s actually the core of the attack. you don’t understand.

let me help.

HTTPNTLM and Basic Auth are both folder level authentication methods.

the attack occurs when a bad guy is afforded the opportunity to load an external (untrusted) resource into a page like - upload a avitar from your computer or from a url

they will put in a url that they have control over, so

pig.jpg doesnt have to exist, but it will satisfy the web applications requirements for the input to begin with http/https and end with .jpg (or approved extensions)

I can only assume you have never used HTTPNTLM or Basic Auth

the client will respond to HTTPNTLM in different ways depending on the browser but Basic Authentication in the same way every time time,

HTTPNTLM for example; if the active directory permits sending HTTPNTLM it will, higher than IE6 you will have to enable it but some poorly configured AD policies will stumble on this, if the policy doesn’t automatically send a response to the challenge it will prompt the user for a username and password. Basic authentication will always give you the same prompt RELM information (space for convincing the user to submit credentials) and a username and password prompt

If you want to play with this I recommend metasploit or Responder by spider-labs - great for learning.

If the sever downloads the images locally that’s fine, but i’ve tested this on a Discourse forum elsewhere and successfully injected authentication prompt to the folder - hence be bringing it here.

if you would like to test from one of my boxes I have set up a responder here (or any other file / extension you like - because it’s folder level.

(Jeff Atwood) #6

You are referring to an IE only issue, yes? And only in very specific circumstances where some non default config is in place, yes?

Just a reminder that Discourse does not work, at all, on IE8 and earlier. And the experience on IE9 is not great, that is our absolute minimum browser and we will likely drop support for IE9 altogether in early 2016.

(John Carroll) #7

No, I’m not.

Basic Authentication = always prompt the user for a Username & password (on any browser)
HTTP NTLM = Always prompt the user for a username & password*‹‹ (on any browser)

*unless Active directory Policy is configured incorrectly
‹‹ if using versions of IE they will autosend if the AD Policy allows it

(Jeff Atwood) #8

This sounds awfully specific to IE to me, as you said above. Simply popping basic browser auth dialog is a non-issue. That is griefing, same as uploading or linking to a highly offensive image.

(John Carroll) #9

OK, so your assuming users when visiting a site they will understand the vulnerability and just click cancel and say ‘oh, cheeky, that’s annoying, lolz, roflcopters!’ or do you thing there might be people that aren’t administrators, developers etc… that go Oh I’m on a forum and it’s asking me for my password again ?

whatever man, someone told me you guys care about security so I came here with this issue, you’ve done nothing but show me you don’t see it as a security risk (and you’re a developer) and try to … what pick on particulars in my responses rather than stick to the principle issue of authentication injection

if you where on my dev team you’d get laughed out of the sprint for assuming users would know, understand, not be bothered by it.

but your not, and that’s alright.

(John Carroll) #10

… also your confusing seeing an offensive image with a phishing attack to acquire users credentials … they are slightly different.

(Jeff Atwood) #11

I think it is fine to bring it up for discussion, but I do not consider it a credible threat outside the IE6 scenario outlined – and we do not work at all on any version of IE earlier than 9.

It would be bizarre for a discussion forum to outlaw all hotlinked images and all outside linking, simply because one of them might cause a basic HTTP auth dialog to appear in the browser:

I would expect an image linked to basic auth would get flagged and hidden by the community, or a mod, just like an offensive or griefing image would.

(John Carroll) #13

Okay, I will accept that if the Mod’s are diligent and prepared to accept attack window vs the time it takes for a moderator to identify it on a page then remove the link/block the perp.

The killteam prompt is an NTLM prompt, the Basic Prompt has a ‘Relm’ header that could be used to convince someone that the prompt is associated with the site too - I’d set up a PoC but, I think you’ve measured the risk and found it acceptable.

like I say, personally I’d love to have upload only especially now I can dump them all on S3
or at least whitelist allowed domains to those you trust (imgur/flickr/etc… (locations where only admins of those sites can apply this authentication as apposed to anyone)