I know this is bad......
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: I know this is bad......

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    I know this is bad......

    The question is, how bad???????

    An organization we work with is requiring us to enter certain requests/data through their spiffy new web portal over https. It doesn't work very well for us and it was brought to my attention. Being the good little worker bee that I am I sit down with the user and ask them to run through what they do exactly as they do it. Everything goes swimmingly until she submits her request. The page returned is as follows:-

    Code:
    Server Error in '/Portal' Application.
    --------------------------------------------------------------------------------
    
    The system cannot find the path specified. 
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 
    
    Exception Details: System.Runtime.InteropServices.COMException: The system cannot find the path specified. 
    
    Source Error: 
    
    
    Line 54:         userid = context.User.Identity.Name
    Line 55:         oReportSource = New ReportDocument
    Line 56:         oReportSource.Load("c:\inetpub\wwwroot\********\Portal\Reports\Serv_Auth.rpt")
    Line 57:         oLogOnInfo = New TableLogOnInfo
    Line 58: 
     
    
    Source File: C:\Inetpub\wwwroot\Portal\ServAuthRpt.aspx.vb    Line: 56 
    
    Stack Trace: 
    
    
    [COMException (0x80004005): The system cannot find the path specified.
    ]
       CrystalDecisions.ReportAppServer.ClientDoc.ReportClientDocumentClass.Open(Object& DocumentPath, Int32 Options) +0
       CrystalDecisions.ReportAppServer.ReportClientDocumentWrapper.Open(Object& DocumentPath, Int32 Options) +72
       CrystalDecisions.ReportAppServer.ReportClientDocumentWrapper.EnsureDocumentIsOpened() +218
    
    [Exception: Load report failed.]
       CrystalDecisions.ReportAppServer.ReportClientDocumentWrapper.EnsureDocumentIsOpened() +269
       CrystalDecisions.CrystalReports.Engine.ReportDocument.Load(String filename, OpenReportMethod openMethod, Int16 parentJob) +739
       CrystalDecisions.CrystalReports.Engine.ReportDocument.Load(String filename) +52
       Portal.ServAuthRpt.Page_Load(Object sender, EventArgs e) in C:\Inetpub\wwwroot\Portal\ServAuthRpt.aspx.vb:56
       System.Web.UI.Control.OnLoad(EventArgs e) +67
       System.Web.UI.Control.LoadRecursive() +35
       System.Web.UI.Page.ProcessRequestMain() +731
    
     
    
    
    --------------------------------------------------------------------------------
    Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.573
    Now.... I can see a path disclosure in there, (sanitized due to their naming conventions), I can see the precise versions if .NET and ASP.NET, I can see that the backend is Crystal Reports, I can see how the userID is generated.

    I know that this kind of information disclosure is bad..... But how bad is this from the POV of those that could be looking for vulnerable servers?

    I'd like to know because my level of ire will be directly proportional to the level of idiocy this organization is displaying _yet again_!!!! On a rating of 0 - 10 with 10 being "Blow a blood vessel" where should I set the steam valve when I call them because this will clearly not be the only information disclosure that could be generated?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    What happens if you try to get the /Portal/ServAuthRpt.aspx.vb file?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    SirDice:

    I dunno.... I'm not fsking with the system.... This is a major funding source and, as such, holds confidential client information on thousands of people.... All they need is another excuse to piss with us.

    It's bad though if I can get the source of that or any other file... I know that....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Can this error be viewed by joe public, or is it an 'internal' thing.

    If visible publically then the page error is unprofessional, at the very least.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The web site is publicly available though the error above occurs at a page that is username/password protected. It's clear that debug error reporting is turned on so if I could force an error at the login page then similar information disclosure would take place. That aside, if I am a registered user and I want to commit a crime this _has_ to help me elevate my privs to a point where data that I am not supposed to see becomes available.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    Can this error be viewed by joe public, or is it an 'internal' thing.
    My first thought also.

    Any disclosure of enmumerating (right word?) information is bad however.

    Does a security failure such as this breach any sort of contract/SLA that your org has with the offending org?

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It's a Major breach of HIPAA..... regardless of whether it is openly available or protected by username/password combo IMO.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Banned
    Join Date
    Jun 2005
    Posts
    445
    I'd set the steam valve at about 5 if it's only available internally, if it's open to the net, set it to maybe 7.


    Although there aren't any obvious "holes", the fact that it will give you versions, paths, etc. Gives an attacker enough information to start looking for specific vulnerabilities.

    I wouldn't call it unprofessional, so much as amateurish.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    LOL.... Funny you use the word "amateurish"..... They haven't quite reached that lofty height yet....

    Ok, I'm calling them..... Let's see how they react to a vulnerability disclosure.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    I'd have to suggest that you do the following:

    1) Alert the proper people. There is no sense in keeping something of this nature under wraps. If HIPAA data is at risk, then you need to practice due diligence.

    2) Get approval to find out how deep the rabbit hole goes. You need to know how vulnerable the application is, and furthermore, how vulnerable the server running the app is. Get authorization to run a pen test or hire someone to conduct one for you, specifically for this application.

    I'd take this up with the right people with a level of about 6-7
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •