به تازگی شاون واکر (خالق نرم افزار DotNetNuke) کتاب جدید خود را منتشر نمود. واکر در بخشی از کتاب به باگهای امنیتی که توسط کاربران مختلف شناخته شده است اشاره کرده است و در این بین نام دو ایرانی به چشم می خورد..
شخص اولی که واکر به آن اشاره نموده آقای مرتضی کرمانی از مدیران Irandnn می باشد که سال گذشته یک باگ امنیتی بزرگ را در DotNet FrameWork کشف نمود و باعث حیرت تیم هسته DotNetNuke گردید. البته آقای کرمانی نیز با صداقت کامل، باگ فوق را به واکر گزارش و سعی در برطرف نمودن آن داشته است. (توضیحات بیشتر در سایت دات نت نیوک...)
همچنین تیم دوم که به آن اشاره نموده است ISCN Team می باشد که ترکیب سه جوان ایرانی است. این تیم توانسته بود فایل Txt با متن زیر را به پوشه Portals/0 بیش از پانصد سایت مبتنی بر DotNetNuke آپلود نماید. هرچند این کار دوستان تاحدی خرابکارانه به نظر میرسد. البته کار زیبای این تیم حمایت از خلیج فارس در این عمل بوده است، هر چند که نمیدانیم به چه دلیل به سایتهای ایرانی مبتنی بر DotNetNuke نیز تعرض صورت گرفته است.
در زیر می توانید بخشی از متن کتاب را به زبان اصلی مطالعه نمایید.
Security Issues
In the early spring of 2008 the project experienced a number of security issues which required our immediate attention as well as strategic management to ensure the reputation of the project was not tarnished.
When it comes to security vulnerabilities in software it is not always the technical issues which are the primary challenge but rather the motivations of the parties involved which play a significant role in defining an appropriate solution.
The first security issue was reported to us by Will Morgenweck of ActiveModules, a well known and respected vendor in our ecosystem. He indicated that his own site had been compromised and he sent us his IIS logs in order to help us identify the problem. However, deep analysis of the logs and the application source code in the area targeted did not reveal the vulnerability. Without the ability to replicate the problem it would be impossible to fix; therefore, we had to try to get to the bottom of it. When the third party had compromised Will’s system, they had used a login account which provided some clue
about their identity. I decided to take a chance and reach out to the them via email; however I was not confident that I would receive any response. Luckily they did respond and over the coming weeks I was able to establish a relationship through a series of email conversations.
It turned out we were dealing with a 22 year old Iranian student named Morteza Kermani who was a member of the DotNetNuke Iran User Group. He indicated that he had not meant to cause any harm and would be willing to help us solve the problem. He explained the actions he had taken to bypass the security mechanisms and this provided us with the detail we needed to replicate the problem locally.
It turned out that he was relying on an undocumented behavior within the .NET Framework which had not taken into consideration. Basically, if a person specified a trailing period for a filename, the .NET Framework would not throw an Invalid Filename error, but would instead strip the trailing period from the filename and then create the file on the disk. This vulnerability allowed Morteza to bypass DotNetNuke’s file extension security, upload a shell script to the server, and then browse to it directly from a web browser, where he could then navigate the server file system. Now I would personally consider this .NET Framework behavior to be a bug; however, since we have no control over the underlying bits, we had to implement our own security mechanisms to prevent this type of exploit in the future. The patch was made available as soon as we successfully validated our solution, and very few sites were affected.
The second security issue occurred in May and was much less severe in terms of the potential damage to the users system; however, it was much worse in terms of public visibility. A group from Iran calling themselves the ISCN or Iran Security Center Networks had discovered a vulnerability in the third party FCKEditor rich text editor control which allowed an anonymous user to upload a file to a public website. The DotNetNuke file upload mechanism did have preventive code in place to prevent them from uploading malicious files; therefore, in most instances they simply uploaded a basic text file named ISCN.txt which contained the following text:
!!! Persian Gulf For Ever !!!
Owned By : Magic-Boy , Imm02tal , Mormoroth
Contact Us : ISCNltd@GMail.coM
ISCN Team
!!! Persian Gulf For Ever !!!
Although the text file did not represent a threat to a users site, the ISCN group also posted links to every system they were able to successfully compromise on a security site called Zone-H. As the list grew, we knew we had to move very quickly to issue a patch or else the reputation of the project as a secure platform would be affected. Tomotoshi Sugishita of the DotNetNuke Japan User Group and Mitchell Sellers were both extremely helpful in identifying and resolving the vulnerability. The third security issue was discovered by a Hosting provider within our ecosystem. In this case, the vulnerability was again not severe; however, it was the actions taken by the Hosting provider which resulted in some serious problems. Rather than reporting the problem to our security alias and working with us to create a patch for the community, the Hosting provider decided the security vulnerability represented a revenue opportunity for their business. They quickly created a ‘‘patch’’ support service which users could purchase to have the security problem immediately resolved on their site. And then they issued a public press release on PRWEB announcing the existence of the vulnerability. This unprofessional behavior was not well received within the DotNetNuke developer community and there was considerable backlash. Ultimately the Hosting provider did finally submit the problem to us and we were able to analyze its impact. In this case, the problem was related to manual invoking the install wizard which could cause problems for some installations, as not all installation tasks are designed to be re-executable. We were able to successfully resolve the problem almost immediately and issue a new general release.