[thelist] Are there any security leaks of HTC's

Peter Brunone (EasyListBox.com) peter at easylistbox.com
Wed Jun 1 20:37:12 CDT 2005 

Volkan,

	I don't think this sounds like something strictly HTC-related.
Rather, it sounds like you're using plain-text queries based on some
user input, which is always vulnerable to SQL injection.  Without more
info about the app, it's hard to tell.
	Ditto on the SSL part; you should never be using clear text for
applications like this.  

> Our router does not have a log program,

	What about your web server?  Doesn't that have some logging
functions?  I would be quite surprised if you weren't at least logging
page requests.  That should give you a little something to start with,
anyway.

Regards,

Peter

-----Original Message-----
From: thelist-bounces at lists.evolt.org On Behalf Of VOLKAN ÖZÇELÝK

Actually what I meant is different. I could't fully express it, sorry.

Let me start step by step.

1. we use HTC's as a means of async connection to server.
2. only authanticated users can use those htcs, if the user does not
provide correct credentials, he is redirected to a "session closed -
reason undefined" sort of page. 3. Here is our general framework.

user  ->*  JSP   -> HTC  ->  Servlet  -> EJB  ->*  Database

legend:
-> indicates a call being made. (no authentication)
->* this connection requires authentication. either an exception thrown 
->or user
is redirected to another page if credentials are invalid (we use a user
object stored as a session variable for authentication, username
password is requsted only once)

So we check user integrity at two points.
1. user calling the jsp
2. the EJB requsting data from DB (i.e. each request to db is
authenticated)

Now the interesting part:

Yesterday we have been seriously *hacked*.
(A critical table has been "dropped")

Our router does not have a log program, so we cannot find after which
HTTP connections this had happend. (we plan to install one ASAP).

We just know the time of hack. And we are sure that it is not a threat
from inside. (At that time only our DBA and a colleague was at the
building, they detected the table being dropped totally by change)

We have declared red alam, investigate and suspect everyting.

More;

The guy(or gal I don't know) at least knows database well
(he killed 5-6 processes running before dropping the table)
He detected the only user account with the sa role (and impersonated to
use it) (yes I know it's a BIG BIG BIG SECURITY MISTAKE, and it's fixed
forever.) Telnetting will be refused by pix(the firewall). Remote
connection is disabled etc. The only open port to outside world is HTTP
80. 
So we highly suspect that it's through the web interface. 

I suspect that s/he sniffed the connection to get user&pass. The
credentials are sent through HTTP post with no encryption.

And I suspect it can be due a hack using the HTC.

Let me go back to the chart:

user ->*(1)  JSP   ->(2) HTC  ->(3)  Servlet ->(4) EJB ->*(5)  Database

If the user finds a way to directly communiacate with the HTC while
keeping the session open after authenticating at step 1(assuming that he
has stolen the sa password): He can send any SQL call to the servlet
(it's somewhat more complex, but theoretically possible, I'll not go to
details to deviate from the topic.)

Sorry for this much introduction.

In conclusion I have two basic questions:

1. is it possible (with a tool, with a hack, by using a security leak
etc) to communicate directly to the HTC file, bypassing the browser; and
without losing the browser session.

2. We play with money. 
So
* Shall we install SSL to the login process.
or
* Shall we install SSL throughout the entire process to secure our
connection.

3. Shall I blame the DBA of hacking the system :) (since she was there
at that time)

The management set me and 3 other colleagues responsible for the
security policy and I have to quickly and proactively decide and
implement things, before the naughty guy strikes us back again.

Your responses are really and highly appreciated.

Thank you,
Volkan.

On 6/1/05, Mark Groen <markgroen at gmail.com> wrote:
> ----- Original Message -----
> From: "VOLKAN ÖZÇELIK" <>
> 
> Hi everyone,
> 
> Do you have any web site / reference on the security leaks of 
> Microsoft's (sigh) "HTC components" ?
> 
> I've googled around but couldn't find any satisfactory answer.
> 
> Are there / have you experienced any security leaks (I've heard that 
> there are, but cannot find anything) or are they innoncent ?
> 
> You may be googling for the wrong term as htc is used for a lot of 
> acronyms. Try DHTML security instead.
> 
> (February 15, 2005) 
> http://www.microsoft.com/technet/security/Bulletin/MS05-013.mspx
> 
> For myself, I keep up with the patches from M$, (still using Win98, 
> happily), so javascript holes aren't a concern. Some clients want 
> their png's and hovers to work, and htc gives you access through 
> javascript to css behaviors and image filtering that you can't get 
> otherwise for IE.
> 
> I'm thinking the answer is: yes, if you aren't patched and using IE 
> then you could be abused.
> 
> hth!
> 
> cheers,
> 
>        Mark

More information about the thelist mailing list