Reply to comment
DotCloud Beta Multiple Vulnerabilities
Name: DotCloud Beta Multiple Vulnerabilities
Systems Affected: DotCloud current beta
Author: Michele "antisnatchor" Orru (michele.orru AT antisnatchor DOT com)
DotCloud is a new managed IaaS aimed to create "mashups" of applications
Multiple vulnerabilities have been identified in the web application
used to access the user API/SSH keys.
To exploit Open Redirection on the first URL is enough to put a not already registered email address
in the "email" parameter:
The second one is present during the login action, so it's pre-authenticated and
this fact increases the security risk:
POST /account/login HTTP/1.1
Open Redirection can be used for phishing purposes or
to execute malicious code on the victim behalf: it would be easy
for an attacker to exploit them to hook the victim browser to BeEF
and then redirect back the victim on the login page, while
b. Credentials are sent in cleartext
No SSL certificates are used at all to protect sensitive informations
from eavesdropping attacks like MITM.
c. Sensitive form with autocomplete enabled
As can be seen in the login page:
the password form field don't have the autocomplete=off attribute in place.
This could lead an attacker to steal the credentials stored in the browsers
if having XSS in the next releases of the DotCloud webapp, or in this case
after exploiting the Open Redirection vulnerability.
d. Cookie without HttpOnly flag
Even if there are ways to bypass this security measure,
the HttpOnly flag should always be added to prevent
e. No anti-XSRF tokens on sensitive forms submissions
No unique tokens are added to sensitive forms to prevent
replay attacks like Cross Site Request Forgery.
At least the forms to change the API key and
the form to upload an SSH key should be protected
in this way, to prevent that in case of any XSS
that would be present in the next releases of the DotCloud webapp
things would't get worse.
DotCloud current beta is vulnerable.
Redirects should not be controlled by users: build a server-side white list of known-good
URLs where the redirect should point to, for example.
VI. VENDOR RESPONSE
Fixed from 14 March 2011.
VII. CVE INFORMATION
No CVE at this time.
VII. DISCLOSURE TIMELINE
20110307 Initial vendor contact
20110310 Initial vendor response
20110314 Vendor fixes issues
20110328 Public disclosure
Michele "antisnatchor" Orru'
IX. LEGAL NOTICES
Copyright (c) 2011 Michele "antisnatchor" Orru'
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,