Forum OpenACS Q&A: Stealing Email Addresses -3x

Request notifications

Collapse
Posted by MaineBob OConnor on

We have an online community of 2000~ Paying and 20,000 FREE Guest members using OpenACS 3.2.x... Recently, it appears that every Member and Guest has been spammed along with Deleted members.... We keep deleted records in the db so that information can be restored when people change their mind...(especially true for the people who pay monthly.... My delete routine prepends the user_id to the email address such as 12345_bob@isp.com. This also allows one to just sign up again with the same address yet have unique email addresses in the users table. I know that they are using deleted addresses because with my catchall address, I have received the spam at 12345_bob@isp.com and other throwaway test accounts that I set up.

PROBLEM

Someone by the name of "John Rey" His Real name? (johnrey1960@yahoo.com) and
---Details---
Received: from [61.9.82.162] (account johnrey1960 HELO pc-2) by philwebinc.com (CommuniGate Pro SMTP 3.4.7) The 61.9.82.162 resolves to: mailaddress = root.mozcom.com. and I found a USA phone number for mozcom.com so I will call them in the morning: +1(408)738-8578 about their user "John Rey". QUESTION: How did John Rey HARVEST the email addresses from our Guests AND for DELETED records? We ONLY have the email addresses shown for Members and of course those CAN be harvested from the webpage by robots.

It does NOT *appear* that there has been a security breach... I see no logons other then the expected ones. (Access is now by AOLserver and SSH... and Yes, we need to move from SSH1 to SSH2). FTP and Telnet have been disabled and PortSentry has been set up.

Are there security breaches possible with AOLserver/3.3.1+ad13 that would allow a harvest?
What about Postgresql 7.1.2?

I'll also search for some of my scripts to be sure that there isn't a hole to allow someone to just increment the user_id in a url such as
www.site.com?user_id=1....10000

Other thoughts?

Thank you!

-Bob

Collapse
Posted by Don Baccus on
How is AOLserver talking to PG?  Locally?
Collapse
Posted by Jon Griffin on
ACS 3.x had MAJOR security flaws. I don't know if OpenACS 3.x patched all of these.

Basically you can type in a query at the right place and get whatever you want. That was one of the main reasons there was a weekend codefest at AD to patch that. Petru was the one who alerted the AD people.

I am sure there are still holes. I always use passwords on my db's in case, but if they attack through the web it is irrelevant.

Collapse
Posted by Stan Kaufman on
Have a look at http://www.ybos.net/doc/core-arch-guide/security-sql-smuggling.

Looks like this fix never made it into 3.2.5. What isn't clear to me in the above is where ad_block_sql_urls is best called. I presume in ad_page_variables but unless I'm completely blind or addled, it's not explicitly documented.

Collapse
Posted by Don Baccus on
Actually Ben went through our 3.x codebase and added a bunch of "validate integer" calls to block obvious SQL smuggling attacks.

So yes, I guess a good question is to ask whether or not you're validating your query variables in your custom pages, too, or whether or not a standard page is exploitable because it got missed in Ben's sweep.

Collapse
Posted by David Walker on
/shared/community-member.tcl is susceptible to an
increment attack.  I'm not sure how it handles
deleted records.
Collapse
Posted by Stan Kaufman on
David, in what way do you mean that it's susceptible? It calls ad_page_variables in which there's a call to check_for_form_variable_naughtiness. It calls validate_integer. It won't show email addresses until the user is logged in. How can Bad Things happen?
Collapse
Posted by MaineBob OConnor on
Thanks for your Great Suggestions... Don, Yes, AOLserver is talking to PG locally. Jon, I think that it is an SQL attack and I will some code checks as suggested by Stan. Don, How does Ben's "Validate Integer" code work? Is is a proc? I was thinking of using:
if { $user_id > 0 && $user_id < 1000001 } {
  # do normal stuff
} else {
  # send to 404 not found page.
}

David, I have extensively modified and expanded /shared/community-member.tcl so I will check that closely.

-Bob

Collapse
Posted by David Walker on
It can be used to harvest the user database. Sign up for a free account and then tell your program to hit
/shared/community-member.tcl?user_id=1   
/shared/community-member.tcl?user_id=2   
/shared/community-member.tcl?user_id=3 
It does not give the user any information they don't have permission to receive but it will allow retrieving the entire user database including deleted users.
Collapse
Posted by MaineBob OConnor on

AND to answer my own question and for those who want to solve the same problem in their 3x code, here is the line with the validate proc:

validate_integer user_id $user_id

-Bob

Collapse
Posted by Don Baccus on
Yes, the incremental attack works of course, I guess I've been misunderstanding, I was assuming Bob wasn't making e-mail information available at all ...

Whenever information is made public there's surely a risk of folks abusing that public information.

Maybe we should add code to pages like this that could optionally be set to refuse to show someone more than a set number of e-mail addresses per day, that kind of thing?

Collapse
Posted by MaineBob OConnor on

Don wrote: ...I was assuming Bob wasn't making e-mail information available at all...

We make about 10% of our users email addresses available on the public "community" page which we call a MY FACE page. People with these public pages can also decide to hide their login email address. I am considering giving everyone a second email address that can be changed regularly so spam will stop (for a while!). Kinda like moving, "...left no forwarding address". The primary login email could then remain private for everyone. OR maybe we'll switch to a login name that is NOT an email address.

Our data model does not use OACS groups, instead we have a simple field to determine status:

Visitor, Guest, Member, Inactive, Deleted.

In our situation one can ONLY be ONE of the above. With OACS groups one could belong to Multiple groups... In our case, you cannot be both and Guest and Member. I haven't looked at 4x and I wonder if it is set up to restrict group membership or would I need to customize as I have with 3x.

-Bob

Collapse
Posted by Michael A. Cleverly on
I still have a copy of the AIM transcript Petru & I had with Eve the day we jointly discovered the rash of SQL smuggling & other ways to abuse form input in ACS 3.x. All of which, I believe, is what finally motivated Philip to have someone implement bind variables. :-) Alex sent me a $200 Amazon.com gift certificate (nicest gift I've ever received from a dog, Samoyed or otherwise).