Pages: [1]
Graf Zero
BAM!ID: 41299
Joined: 2007-12-17
Posts: 5
Credits: 381,111
World-rank: 349,260

2009-04-16 21:29:58
last modified: 2009-04-16 21:51:02

FreeHAL@Home, a brief story about server security.

As we're writing this post, we're worried about security of the server where the project is based, as well as admin's attitude towards this issue.

Couple of days ago one of the team members (SereK) found a breach on the project's website - a file with data needed to successfully log in to SQL database was available for everyone and it allowed everyone to browse through basically all of the database, not only the one used by this project. We informed the admin about the problem and - after it was solved - we released a statement on our website about the fact feeling that we have done the right thing.

Everything seems fine so far, right? SereK surprised us only two days later, claiming, that the breach still exists and the file is still available, this time through different domain directing to the same WWW server. We informed the admin again, and the file access was blocked (however, what's important, the password was not changed).

Another conversation with the breach finder triggered déjà vu feelings - this *.xml file is still available for the world and still contains the current password. If somebody wants, he could still get basically any part of the database access he wants, all he's got to do is find the proper domain... Which is not that difficult, all you have to do is go to boinc wiki on Berkley University website. As far as we know, currently you can retrieve both old and new password from FreeHAL servers.

At the time of writing this post, in the database of the project there were nearly four thousand users (of which part of them have no credit thus they aren't visible on the stats websites) with their emails and passwords. We are not calling for any kind of action like boycotting the project. Everyone should think about this, what he wants to do next with this information. We are not looking for popularity or a million hits on our website. We just don't want to wait for the admin to fix another error... We tried discreetly, but it didn't seem to work. Maybe a little bit of a fuss will force FreeHAL's creators to actually take care of security issues.

http://boinc.fatumtech.net/images/freehal-sql.png

FatumTech BOINC Team
http://boinc.fatumtech.net/


---------------------------------------------------------------------


FreeHAL@Home, krótka opowieść o zabezpieczeniach serwera

Piszemy tego posta zaniepokojeni zabezpieczeniami serwera, na którym uruchomiony jest projekt FreeHAL@Home, oraz podejściem jego administratora do tematu bezpieczeństwa.

Kilka dni temu jeden z członków naszej drużyny (SereK) znalazł "dziurę" na stronie projektu - plik z danymi potrzebnymi do zalogowania się do bazy SQL dostępny był dla każdego, kto tylko wiedział jaki adres podać. Brak zabezpieczeń ze strony serwera SQL pozwalał na swobodne przeglądanie niemal całej bazy danych, nie tylko części wykorzystywanej przez projekt. O problemie poinformowaliśmy administratora i - po usunięciu problemu - opublikowaliśmy informację o tym fakcie z poczuciem dobrze wykonanego obowiązku.

Jak na razie wszystko w porządku, prawda? Znalazca błędu zaskoczył nas już po dwóch dniach, informując iż dziura nadal istnieje, a plik nadal jest dostępny, tym razem poprzez inną domenę prowadzącą do tego samego serwera WWW. Ponownie poinformowaliśmy administratora i ponownie dostęp do pliku został zablokowany (lecz, co dziwne, hasło nie zostało zmienione).

Kolejna rozmowa z (nie)szczęśliwym znalazcÄ… wywoÅ‚aÅ‚a w nas niemiÅ‚e uczucie déjà vu - ów nieszczÄ™sny plik *.xml nadal jest dostÄ™pny dla Å›wiata i nadal przechowywane w nim jest aktualne hasÅ‚o. Jeżeli ktoÅ› chce, nadal może zdobyć niemal dowolnÄ… część bazy danych, musi tylko znaleźć odpowiedniÄ… domenÄ™... Co nie jest wcale trudnÄ… sprawÄ…, wystarczy Google i przejrzenie wiki na stronie Berkeley University. Z informacji jakie posiadamy, w chwili obecnej z serwerów FreeHAL można "wyciÄ…gnąć" zarówno stare, jak i nowe hasÅ‚o.

W chwili pisania niniejszego postu, w bazie projektu zapisanych było prawie cztery tysiące użytkowników (z czego część nie posiadała żadnych punktów, stąd ich nieobecność na stronach ze statystykami) wraz z ich adresami email oraz hasłami. Nie namawiamy nikogo do bojkotowania projektu ani innych drastycznych działań. Każdy powinien sam zastanowić się, co chce dalej zrobić z tą informacją. Nie szukamy taniego rozgłosu ani milionów odwiedzin na naszej stronie. Nie chcemy po prostu czekać, aż kolejny błąd zostanie łaskawie poprawiony przez administratora projektu. Próbowaliśmy w miarę dyskretnie, ale jak widać się nie da. Może trochę zamieszania zmobilizuje twórców FreeHALa do podjęcia tematu zabezpieczeń.

http://boinc.fatumtech.net/images/freehal-sql.png

FatumTech BOINC Team
http://boinc.fatumtech.net/
PovAddict
BAM!ID: 115
Joined: 2006-05-10
Posts: 1013
Credits: 5,785,239
World-rank: 76,276

2009-04-17 00:36:08

The MySQL port shouldn't even be opened to the outside!
Not running BOINC anymore for several reasons...
[BOINCstats] Willy
 
Forum moderator - Administrator - Developer - Tester - Translator
BAM!ID: 1
Joined: 2006-01-09
Posts: 9419
Credits: 350,105,499
World-rank: 4,518

2009-04-17 04:50:23

The MySQL port shouldn't even be opened to the outside!



Well, sometimes it's necessary. Many projects use multiple servers, so the other servers need access to the database server. BUT: if the project is behind a firewall the port can still be closed. If not (decent firewalls are quite expensive) then the database server should only accept connections from a set list of hosts.
Please do not PM, IM or email me for support (they will go unread/ignored). Use the forum for support.
Guest

2009-04-17 12:57:36

Thank you for bringing this to my/our attention. I do think it would have been better shared only on the FreeHAL message boards, but at least you have given those of us who need to a chance to change what details they hold about us
PovAddict
BAM!ID: 115
Joined: 2006-05-10
Posts: 1013
Credits: 5,785,239
World-rank: 76,276

2009-04-17 14:12:23

The MySQL port shouldn't even be opened to the outside!

Well, sometimes it's necessary. Many projects use multiple servers, so the other servers need access to the database server. BUT: if the project is behind a firewall the port can still be closed. If not (decent firewalls are quite expensive) then the database server should only accept connections from a set list of hosts.

I meant "outside their LAN". Of course communication between their servers is needed, but why open it to the Wild Internet?
Not running BOINC anymore for several reasons...
Guest

2009-04-17 14:47:00

The MySQL port shouldn't even be opened to the outside!

Well, sometimes it's necessary. Many projects use multiple servers, so the other servers need access to the database server. BUT: if the project is behind a firewall the port can still be closed. If not (decent firewalls are quite expensive) then the database server should only accept connections from a set list of hosts.

I meant "outside their LAN". Of course communication between their servers is needed, but why open it to the Wild Internet?


because you know or give shit about data security?
Kai Strang
 
Tester - BOINCstats SOFA member
BAM!ID: 14104
Joined: 2006-12-06
Posts: 1156
Credits: 266,085,161
World-rank: 5,465

2009-04-17 16:25:52

Glad I never touched this thing
SereK_FT
BAM!ID: 43794
Joined: 2008-01-13
Posts: 1
Credits: 281,018
World-rank: 407,856

2009-04-20 20:14:45

*.xml file is still available (at least database is blocked); I hope it's a fake put there on purpose
PovAddict
BAM!ID: 115
Joined: 2006-05-10
Posts: 1013
Credits: 5,785,239
World-rank: 76,276

2009-05-06 21:49:03

SereK_FT wrote:
*.xml file is still available (at least database is blocked); I hope it's a fake put there on purpose

You know, I never found that XML file... However, I had found a core dump of a daemon and got a DB host/user/password from there. I reported it to the admin, who then blocked that DB server (it was an old "backup" DB, not the one actually running the project; but account keys were there anyway).
Not running BOINC anymore for several reasons...
Pages: [1]

Index :: The Projects :: FreeHAL@Home, a brief story about server security. (ENG & PL)
Reason: