That post talks about another security problem resulting of the bad interaction between two different applications. The current problem is that the ftp address with the login name and password of your web site can be viewable by anybody on the Internet in a specific situation.
How it happened?
I am using the AceFTP software to connect to the ftp of my website’s server. It is a really nice ftp software. One of the useful features is that you have the possibility to view a file (text, image or webpage) in an embedded web browser. Then if you click on your index.htm file, you will see it instantly into the browser; it is really useful when you do not remember what a specific file was.
I am also using StatCounter as my web site statistic application. I already talked about that beautiful service before. You only have to put a little JavaScript code on one of you webpage, and it will record the entry and exit pages of your visitors.
Now you wander what is the problem?
The problem exists when one of the feature of AceFTP and another one of StatCounter interact together:
- The preview feature of AceFTP
- And the possibility to put your statistics public with StatCounter
Note: you need to have in mind that this security problem can be possible with other ftp client softwares that have the same feature and any other web site statistics services that broadcast the stats publicly. I get AceFTP and StatCounter in my example because it is with them that I discovered the problem.
You see the problem coming? When I check a file that contains the JavaScript code of StatCounter in the “embedded browser”, the code on that page is then executed by the ftp client software. Then the visit will be recorded by StatCounter. The problem is that the entry page that StatCounter will show will be something like that:
Then if the public statistics of your StatCounter account is at “on”, then anybody can have access to the ftp server of your web site.
Demonstration
- I check one of my file containing the StatCounter’s JavaScript code with my ftp client software
- Then I check my stats
How can we fix the problem?
- Web services like StatCounter could check for the patterns: “* : * @ *”, then hiding them. It is exactly what Bloglines had done when I discovered a problem like this one with their web application.
- You could use another option of StatCounter that enable you to ignore the visits that come from your IP address. Then if StatCounter ignore your visits, such activities will not be the recorded.
- You could simply stop using the preview feature of AceFTP.
Conclusion
My conclusion is that same as the one I wrote for the Bloglines’ problem with the RSS feed: This experience is a good example of the potential security treats that can appears when more than one system start to interact together.
Technorati: security | statcounter | aceftp | ftp | flaw | hack |
Fortrel
July 29, 2005 — 2:40 pm
Hmm… That’s an interesting problem.
Another option would be for the AceFTP software to have a property like “Root URL” to specify where is the content of the FTP site available on the web. So if you ask for a preview of, let say “/home/mysite/public_html/index.html”, it knows that this is available online at “http://www.mysyte.com/index.html”. It would do the translation for you and use the HTTP protocol, instead of using the FTP protocol.
(This last sentence reads ok, but if you stop and think about it, the “P” of HTTP and FTP stands for “protocol” so it becomes pretty redundant!) ๐
Alex
Fred
July 30, 2005 — 10:55 am
Hello Alex,
Definitely. It could be a good fix. The problem I see is that people would not know what the feature is for, then would not use it. Another solution should be to trick the HTTP request’s header to hide the came from URL field (or something like that, I do not remember of the exact name of the field) of the HTTP request.
Salutations,
Fred
Sudar
August 1, 2005 — 12:44 am
Hi Fred,
Even sitemeter has the same problem. It is not only limited to FTP username and password even session id which are passed in the url can be retrived if the stats are opened as public
Fred
August 1, 2005 — 12:10 pm
Hello Sudar,
Yup, in fact, probably all stats services able to publicaly broadcast the stats are “vulnerable”.
Yup, it is also true for the session ID. However, this one is the problem of the webdeveloper. It depends on how his system is builded and how he handle the sessions ID.
Salutations,
Fred