bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security Breach Alert - CVS Home File Download Area Compromised


From: Conrad T. Pino
Subject: RE: Security Breach Alert - CVS Home File Download Area Compromised
Date: Wed, 26 Jan 2005 03:59:29 -0800

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bernd,

Kenneth this message sheds more light regarding Java servlet as not likely to
be an issue as I've tested down to the final redirect in a double redirection
process used for file downloads.

> From: Bernd Petrovitsch
> 
> > I'm still unable to download "*.gz.sig" for binaries with Internet Explorer
> > 6 and the same download with Netscape 4.8 saves a zero length file.
> 
> Strange.

Worse.  How do you verify a PGP signed file without the signature file?

> > Working your idea a bit further, the file received with Internet Explorer 6
> > is the exact size and content of the uncompressed original which says 
> > "magic"
> > is taking place but I'm not sure it's client side magic because I expect the
> > client side "magic" to work against all servers and that's not currently 
> > true.
> > 
> > I get "magic" behavior with:
> 
> Which files/URLs exactly?

In general the source file areas work:

        ccvs
        ccvs/archive/*

In general the binary file areas are problematic:

        ccvs/binaries/*

except for

        ccvs/binaries/linux/*
        ccvs/binaries/win32/*

both of which use different file extensions.

The binary file areas containing "*.gz" and *.gz.sig" files are at issue.

> > https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=92
> 
> With the .gz Files?

I've had good results with source files like:

        *.tar.bz2       *.tar.bz2.sig
        *.tar.gz        *.tar.gz.sig

I've had good results with binary files like:

        *.rpm
        *.zip           *.zip.sig

I've had problems with binary files like:

        *.gz            *.gz.sig

> > and many other binary areas on CVS home but no "magic" with
> > https://ccvs.cvshome.org/servlets/ProjectDocumentList?folderID=0
> 
> With the .bz2 files?

I've only tested with source tar balls compressed using bz2 and
that suggests another experiment.

> > and no "magic" with
> > http://jakarta.apache.org/site/binindex.cgi
> > either.
> 
> The web server may send MIME-Types and similar stuff with the delivered
> file. The browser may interpret the MIME-Type and do something on it
> (automatically or after asking the user or not at all or ...).

Unless you "right click" on the hyperlink and use the "Save Target As..."
option which I always to when conducting these tests.

> ----  snip  ----
> {5}wget -S
> 'https://ccvs.cvshome.org/files/documents/19/342/cvs-1.11.11-SunOS-5.8-i386.gz'
> --10:09:46--  
> [...]
> 10 Content-Type: text/plain
> 11 Content-Encoding: x-gzip
> ----  snip  ----
> Assuming a "yes" on the above questions, I guess that IE (or whatever
> HTTP-client you use) may handle .gz now and ignores .bz2.
> And the client side behaviour should be configurable (for exactly the
> reason you mentioned - checking md5 hashes) or you throw the HTTP-client
> in the litter box.

I've been careful to check that Windows 2000 and Internet Explorer 6 are
not processing the file.  Let's not forget Netscape 4.8 has similar issue.

I can't get "*.gz.sig" files to download on Mac OS X with Safari 1.2.4 and
Internet Explorer 5 on Mac is also affected.

On the other hand the Windows implementation of wget 1.9.1 works as expected
and the PGP signature does verify in a single case test (see below).

I used the wget dialog to isolate the final redirects and created a test HTML
page using the final target URLs in hyperlinks for both "*.gz" and "*.gz.sig"
files.  I still get a file too large for the "*.gz" and the "*.gz.sig" doesn't
download.  This does say it's probably not a Java servlet issue as speculated
in an earlier message to Kenneth Schwarzman.  The test page is:

<html>
<body>
<p><a 
href="https://www.cvshome.org/files/documents/19/340/cvs-1.11.12-SunOS-5.8-i386.gz";>Link</a></p>
<p><a 
href="https://www.cvshome.org/files/documents/19/341/cvs-1.11.12-SunOS-5.8-i386.gz.sig";>Link
 Sig</a></p>
</body>
</html>

>       Bernd

Conrad

U:\work>wget 
https://ccvs.cvshome.org/files/documents/19/343/cvs-1.11.11-SunOS-5.8-i386.gz.sig
- --02:31:45--  
https://ccvs.cvshome.org/files/documents/19/343/cvs-1.11.11-SunOS-5.8-i386.gz.sig
           => `cvs-1.11.11-SunOS-5.8-i386.gz.sig'
Resolving ccvs.cvshome.org... 64.125.133.66
Connecting to ccvs.cvshome.org[64.125.133.66]:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: 
https://ccvs.cvshome.org/servlets/ProjectDocumentDownload?documentID=343 
[following]
- --02:31:46--  
https://ccvs.cvshome.org/servlets/ProjectDocumentDownload?documentID=343
           => address@hidden'
Connecting to ccvs.cvshome.org[64.125.133.66]:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: 
https://www.cvshome.org/files/documents/19/343/cvs-1.11.11-SunOS-5.8-i386.gz.sig
 [following]
- --02:31:47--  
https://www.cvshome.org/files/documents/19/343/cvs-1.11.11-SunOS-5.8-i386.gz.sig
           => `cvs-1.11.11-SunOS-5.8-i386.gz.sig'
Resolving www.cvshome.org... 64.125.133.66
Connecting to www.cvshome.org[64.125.133.66]:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 66 [text/plain]

100%[====================================>] 66            --.--K/s

02:31:48 (64.45 KB/s) - `cvs-1.11.11-SunOS-5.8-i386.gz.sig' saved [66/66]


U:\work>wget 
https://ccvs.cvshome.org/files/documents/19/342/cvs-1.11.11-SunOS-5.8-i386.gz
- --02:43:24--  
https://ccvs.cvshome.org/files/documents/19/342/cvs-1.11.11-SunOS-5.8-i386.gz
           => `cvs-1.11.11-SunOS-5.8-i386.gz'
Resolving ccvs.cvshome.org... 64.125.133.66
Connecting to ccvs.cvshome.org[64.125.133.66]:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: 
https://ccvs.cvshome.org/servlets/ProjectDocumentDownload?documentID=342 
[following]
- --02:43:26--  
https://ccvs.cvshome.org/servlets/ProjectDocumentDownload?documentID=342
           => address@hidden'
Connecting to ccvs.cvshome.org[64.125.133.66]:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: 
https://www.cvshome.org/files/documents/19/342/cvs-1.11.11-SunOS-5.8-i386.gz 
[following]
- --02:43:27--  
https://www.cvshome.org/files/documents/19/342/cvs-1.11.11-SunOS-5.8-i386.gz
           => `cvs-1.11.11-SunOS-5.8-i386.gz'
Resolving www.cvshome.org... 64.125.133.66
Connecting to www.cvshome.org[64.125.133.66]:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 725,534 [text/plain]

100%[====================================>] 725,534       16.43K/s    ETA 00:00

02:44:11 (16.33 KB/s) - `cvs-1.11.11-SunOS-5.8-i386.gz' saved [725534/725534]


U:\work>wget --version
GNU Wget 1.9.1

Copyright (C) 2003 Free Software Foundation, Inc.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

Originally written by Hrvoje Niksic <address@hidden>.

U:\work>

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBQfeGILNM28ubzTo9EQIAMACgnLZBjKj0XCBFUNAZvhJeWbAIi4MAn34K
lO/9oHq3bzc9v2H6dmNhIpcF
=yA2d
-----END PGP SIGNATURE-----





reply via email to

[Prev in Thread] Current Thread [Next in Thread]