Cloud service provider Atlassian has recently moved to provide a patch for a security issue with its Crowd enterprise single sign on service. The company is however disputing the assertions made by Command Five that another un-patched vulnerability still remains in the service.
The advisory from Command Five states that the XML document type definition (DTD) parsing gives third parties a way of retrieving files from a network, perform DoS (Denial of Service) attacks, or make HTTP requests in the network without permission from the owners.
Te advisory explains that XML is likely to contain entities which act as placeholders in some other content. Hackers can then exploit this by replacing the generated URL from the Crowd with linked paths to various other areas in the target network. Some of the examples given in the advisory are discussed below.
- Remote file retrieval: A hacker can easily craft a new URL that provides access to all files that can be accessed by the Crowd server.
- HTTP relay: The Crowd server can be tweaked to perform the various HTTP requests against the server itself. As these look like request from the local host to the servers, the hacker can then bypass the trusted proxy of Crowd and address the validation rules remotely.
- Denial of service: Attackers can use the nested XML entities included in the header of DTD of any SOAP request.
As noted by Command Five, these issues have been addressed by Atlassian by releasing upgraded software with related patches. The company’s spokesperson said that Atlassian has already patched the 1st vulnerability in the maintenance release of the software.
However, an issue still remains as per the last statement from Command Five. It notes that there is at least another critical vulnerability with the software that is still un-patched as of now. This vulnerability allows unauthorized third party to take total control of the servers of Crowd to which they can easily make network connection.
The company has however denied this by saying that it hasn’t been able to substantiate the claims of the existence of other vulnerability, though this cannot be independently verified. Atlassian has however said that it is taking the issue seriously and is reaching out to sources for more information on the issue. A patch is likely to be issued once the problems have been pin-pointed. The company has shown its commitment in addressing all concerns by users, and will make changes to Crowd accordingly to make it better for customers.
Please Share This Knowledge With Others!
Robert says
Let’s face it, security vulnerabilities happen. It’s the nature of any data management / development programming language. Just look at all the controversy that is in the news about security issues with Google, the NSA and financial institutions that use Oracle to manage and secure their data. I saw an interview with the founder of Oracle who is claiming that Google is using his technology and concealing it so that they pay no royalties.
Joseph says
I just assumed that it is the nature of the XML parsing language (namely its flexibility / versatility which enables it to be compatible with other platforms) that also makes it more susceptible to security vulnerabilities. I’m assuming that this is a typical case of sacrificing one con for a pro. I guess you can’t always have your cake and eat it too. There are usually concessions you make, even with programming languages.