Is the control panel potentially disclosing sensitive information?

This is used for general discussion that is not necessarily server-related.
Post Reply
User avatar
Vortire
A semi-regular
A semi-regular
Posts: 24
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Sat Mar 21, 2020 3:32 am
Location: United Kingdom
Contact:

Is the control panel potentially disclosing sensitive information?

Post by Vortire »

Hello there,

After snooping around my server dashboard, simply looking at the status of my virtual server, I noticed that it is written in Perl and me being me I decided to check out the cookies it stores (I've never seen a web-app in Perl so this was exciting for me :D). After checking what cookies the dashboard stores though, I noticed that you may be potentially disclosing sensitive information including the users username (or email) and password. The password is in clear-text as well. Would this qualify as CWE-315?

P.S. If the forum Admin wants me to remove this post and contact him directly, I'd be more than happy to do so. :)

So I guess my question is, are you aware of this and do you think it qualifies as CWE-315?

Thank you!
Adam - Vortire :D
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Is the control panel potentially disclosing sensitive information?

Post by Edge100x »

Please feel free to contact us directly with security concerns.

I haven't heard this called "CWE-315" before, but some have expressed concerns about storing cleartext information in a cookie, even when that cookie is only sent securely and is (supposedly) stored securely in the browser. Though it's still a relatively common practice, and browsers by default separately prompt users to save login information in a retrievable way, most professionals now believe that it is best to avoid it when possible.

Switching to a token-based system and adding full 2-step authentication (beyond our current email confirmation for certain actions) are improvements that are currently planned for the control panel. Both changes work together to address a not-unknown scenario -- a customer whose information is obtained by a 3rd party outside of our system.
User avatar
Vortire
A semi-regular
A semi-regular
Posts: 24
Joined: Sat Mar 21, 2020 3:32 am
Location: United Kingdom
Contact:

Re: Is the control panel potentially disclosing sensitive information?

Post by Vortire »

Thank you for the prompt response. If you want more information on CWE-315, https://cwe.mitre.org/data/definitions/315.html is the official page for it :D

Yes token based authentication would be a definite security step-up and time-based 2FA (Something that wouldn't require 3rd-party services) is always a desirable feature especially for server providers. That would awesome ๐Ÿ˜

From my past experience working with web-apps, I'd recommend either token based authentication or as a hot-fix simply encrypting and decrypting the cookie with a password hard-coded on your end. That would significantly increase security ๐Ÿ™ƒ or if you don't require the password for any API related stuff, hashing it ๐Ÿ˜

Thank you again for the quick reply, always impressed how fast your staff and you respond.
P.S. Thank you for the great service, best provider hands down ๐Ÿ˜
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: Is the control panel potentially disclosing sensitive information?

Post by Naleksuh »

Also it seems like it is possible to change your password without knowing your current password just as long as you are logged in, which also seems like a problem
User avatar
Vortire
A semi-regular
A semi-regular
Posts: 24
Joined: Sat Mar 21, 2020 3:32 am
Location: United Kingdom
Contact:

Re: Is the control panel potentially disclosing sensitive information?

Post by Vortire »

Yes it appears the control panel allows you to change password without requiring you to provide your existing password but personally I believe this is by design. I've seen the same in other websites so i'm unsure how I feel about that. :D
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: Is the control panel potentially disclosing sensitive information?

Post by Naleksuh »

I am not really sure why this was a public discussion in the first place, security stuff ultimately should be private. But, Edge100x, founder and CEO of this service, seems to be okay with it, so if it's allowed then I suppose I will post my point of view.

It is, unavoidable, that someone with the ability to execute client-side code, read cookies, etc, can take over your account. But the damage is minimized by not allowing them to change your password, etc, allowing you to regain control.

As it stands, anyone with the ability to read your cookies can view your password. This is of course a problem as it can allow to completely lock the owner out of their account. But even if this was fixed, with a token-based system, that still wouldn't resolve the issue. Because if you can change the password without knowing the current password, then the password can simply be changed and known by any potential attackers, without the current password.

I'm not sure what websites are allowing to change the password without knowing the current one but that does sound like a security problem. Are you sure this isn't password resets which requires email access?
User avatar
Vortire
A semi-regular
A semi-regular
Posts: 24
Joined: Sat Mar 21, 2020 3:32 am
Location: United Kingdom
Contact:

Re: Is the control panel potentially disclosing sensitive information?

Post by Vortire »

It should also be noted that on "https://www.nfoservers.com/control/login.html" there is no CSRF protection or Captcha which should probably be addressed at some point, but i understand DDoS mitigation and other network-related occurrences take priority. :D
User avatar
Vortire
A semi-regular
A semi-regular
Posts: 24
Joined: Sat Mar 21, 2020 3:32 am
Location: United Kingdom
Contact:

Re: Is the control panel potentially disclosing sensitive information?

Post by Vortire »

Completely missed your response, sorry :)

If Edge feels this is too security related, I will happily remove the posts as i said in my previous post :)

I agree that someone with the knowledge of a few basic tools can hijack a session and/or other cookies if they wish to do so, it is technically avoidable if you, for example, use a hashed version of the user agent and maybe scroll-bar width and use that within your session token, then comparing it on each request which would limit an intruders chances of gaining access to that account with a session token.

The best method would to have the ability to see all active session tokens and the user-agents using them which would help you determine if you have been the victim of an illegal act.

I'm sure I saw it some-where. The best method of mitigating this would to either A. Require use of the pre-existing password or B. Send a confirmation email with a OTP for the user :)
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Is the control panel potentially disclosing sensitive information?

Post by Edge100x »

Some websites integrate captchas into login pages, but it is a (lazy) way to prevent automated access to the accounts, and not for security reasons. It can be a major hassle for clients. I personally hate them. We don't currently see a need to do that here.

CSRF isn't needed for the login page, since it doesn't generate changes. We have general CSRF protection for POSTs within the control panel, however.

In terms of browser-based attacks, fundamentally, if a user's machine is compromised, we can't fully prevent the user's password from being taken by an attacker on their side. No amount of encryption or tokens or hashing can prevent a determined attacker with that kind of access from obtaining it, as long as the user continues to use the site (and most users save their passwords in the browser, regardless, making it trivial). Further, it is very difficult to prevent a determined attacker from using an existing browser session on the compromised machine (through the actual browser itself).

That makes tokenizing a relatively low priority, but still worthy of attention. The more important security feature is 2-step authentication, to (mostly) stop an attacker from using any stolen credentials (possibly obtained from another source) from another location. The extra authentication could also potentially be used to put the brakes on certain actions that we don't already verify through email, if a user requests extra security, such as payment source updates or reductions to the access notifications.

Yes, I would generally prefer that people ask about security concerns directly rather than post publicly. Here, it's fine, because nothing said so far is new or a true vulnerability that attackers can exploit, but in theory someone might bring up an undiscovered vulnerability.
User avatar
Vortire
A semi-regular
A semi-regular
Posts: 24
Joined: Sat Mar 21, 2020 3:32 am
Location: United Kingdom
Contact:

Re: Is the control panel potentially disclosing sensitive information?

Post by Vortire »

By encrypting certain user aspects in your session token and checking them per request you can prevent an attacker that hasn't spoofed those aspects from gaining access to an account via a live session token, although not impossible certainly. Can I also ask you are hashing passwords in your DB as is standard?

Yes 2FA should definitely be the priority, and use time based therefore you can utilise GAuthenticator etc. It's a standard protocol that doesn't require 3rd services.

Noted. I'm just more of a fan of open-source and open-feedback type of guy, it usually gives the issue higher priority and makes others aware of the potential flaws that were found and stops some companies from just shrugging it off (many do unfortunately).

A CRSF token on the login page would help to some degree as autonomous bots would first have to request a session before being able to automate password bruting, either that or require 2FA.
Naleksuh
This is my homepage
This is my homepage
Posts: 298
Joined: Thu Jul 25, 2019 12:35 am

Re: Is the control panel potentially disclosing sensitive information?

Post by Naleksuh »

I don't think I want to continue talking about this publicly as Edge100x said before: "Yes, I would prefer that you ask about security concerns directly rather than post publicly. Nothing said so far is new or a true vulnerability that attackers can exploit, but in theory someone might bring up an undiscovered vulnerability."

Is there a special email address for security-related stuff? Or should I just use the standard one?
User avatar
hiimcody1
Staff
Staff
Posts: 1593
Joined: Wed Dec 28, 2011 4:59 pm

Re: Is the control panel potentially disclosing sensitive information?

Post by hiimcody1 »

Naleksuh wrote: โ†‘Sat Feb 06, 2021 12:09 pm Is there a special email address for security-related stuff? Or should I just use the standard one?
Our standard support@nfoservers.com email would work best for this.
Vortire wrote: โ†‘Sat Feb 06, 2021 3:48 amNoted. I'm just more of a fan of open-source and open-feedback type of guy, it usually gives the issue higher priority and makes others aware of the potential flaws that were found and stops some companies from just shrugging it off (many do unfortunately).
It definitely has its place, especially with bigger companies that make it difficult to reach the right people via conventional means.

In our case, contacting the right people here is much easier since we don't have any sort of outsourced support staff or other roadblocks you commonly see.
User avatar
Vortire
A semi-regular
A semi-regular
Posts: 24
Joined: Sat Mar 21, 2020 3:32 am
Location: United Kingdom
Contact:

Re: Is the control panel potentially disclosing sensitive information?

Post by Vortire »

Thank you for the reply. I completely understand, I do work for independently large businesses and good gravy it can be hard to find the right person ๐Ÿ˜… but NFO you have the best support time and effectiveness I've ever seen, huge praise to you on that front ๐Ÿ˜ I too will not be responding further on this thread.
Post Reply