Knowledge Base & Discussion Forum

Unauthorized API calls from outside to RDR

Discuss technical questions on AhsayRDR

Moderator: Support Team

Unauthorized API calls from outside to RDR

Postby shsuhung » Thu Jan 27, 2011 12:15 am

Hi,

We just discovered yesterday that the RDR (Version 5.5.7.4) will allow External/Internal Unauthenticated API request to your OBS (Version 5.5.8.0 and 5.5.7.4) server. You do not need to supply any password when you use the parameters "SysPwd=".

*NOTE* This will allow all api request such as List User, Delete user, and Create users.

Edit by Support

We have already secured the OBS servers with the proper IP restriction, and if you try to perform the the API request directly to the OBS it does require the password from internet network.

Has anyone ran into this issue yet or anybody even aware of this issue?
shsuhung
 
Posts: 6
Joined: Thu Jan 27, 2011 12:05 am

Postby lasseoe » Thu Jan 27, 2011 3:41 am

Edited by Support due to violation of General Forum Rule.
Lasse, please mind your language when posting on the Ahsay Discussion Forum.

General Rule - viewtopic.php?t=282 wrote:General rules

1. Disrespectful behavior will not be tolerated.
2. Profanity in any language will not be tolerated.
3. Insults, smarmy comments, provocative behavior, antagonistic behavior etc will not be tolerated.
...

Ahsay, I expect to see a hotfix for this in the morning!

Answer) The issue has already been resolved in the current version of AhsayRDR (version 5.5.8.0), which is download-able at:
http://pedia.ahsay.com/openArticle.aspx?aid=2166
Lasse
lasseoe
 
Posts: 292
Joined: Fri Oct 02, 2009 5:07 am

Postby shsuhung » Thu Jan 27, 2011 4:03 am

Also do not restrict the IP address of the RDR from your OBS server in the Web.xml, or the RDR will not function correctly...
shsuhung
 
Posts: 6
Joined: Thu Jan 27, 2011 12:05 am

Postby lasseoe » Thu Jan 27, 2011 4:06 am

shsuhung wrote:Also do not restrict the IP address of the RDR from your OBS server in the Web.xml, or the RDR will not function correctly...

well.. have you tested this? looking through logfiles, I don't see any API calls TO the RDR, only regular calls (non-API).

Regardless, it's a major security hole whichever way you look at it. :evil:
Lasse
lasseoe
 
Posts: 292
Joined: Fri Oct 02, 2009 5:07 am

Postby shsuhung » Thu Jan 27, 2011 4:18 am

Hi i have tried this already. You will get the following error if you do perform the IP restriction:
[obc55.GetUserProfileRqt.getHost] Throwable='[Http.HttpHeaderExpt] http-0.0.0.0-443-64[Err] The first line of HTTP header is 'HTTP/1.1 500 Internal Server Error''

Secondly because you are sending the request to the rdr server than specifying the host to the OBS you'll see something like the following in the rdr logs:
[info][system][api.ForwardApi] Forward API '/rdr/api/ListUsers.do' to '[obs server]'.
shsuhung
 
Posts: 6
Joined: Thu Jan 27, 2011 12:05 am

Postby shsuhung » Thu Jan 27, 2011 11:10 am

Wow such a critical issue and AhSay is taking such a long time for them to respond to this forum or my support ticket...
shsuhung
 
Posts: 6
Joined: Thu Jan 27, 2011 12:05 am

Postby Support3 » Thu Jan 27, 2011 2:06 pm

Hi Stanley,

As mentioned in your support ticket, the issue has already been resolved in the current version of AhsayRDR (version 5.5.8.0), which is download-able at:
http://pedia.ahsay.com/openArticle.aspx?aid=2166

Such upgrade from version 5.5.7.4 to 5.5.8.0 would not affect the branding information of your AhsayRDR server as mentioned in our ticket respond.

Looking at the history of the Support Ticket, we have made responds within the Standard Support Service targeted time (average respond time for today is <30mins). About your question on the forum post respond time, please again review on the General Rule, as the Ahsay Technical Discussion Forum is not part of the service package. We will try to respond to any reasonable forum post in timely manner. However, we cannot guarantee that a reply will be given within a fix time frame.

Please refer to your Support Ticket for the latest details.
User avatar
Support3
 
Posts: 6075
Joined: Wed Jan 02, 2008 11:08 am

Postby Support3 » Thu Jan 27, 2011 3:10 pm

Adding to our previous reply, you mentioned that AhsayRDR was not working properly, when you have modified the web.xml file of your AhsayOBS to impose some IP restriction, can you clarify which filter did you use as we were not able to reproduce the case.

Can you please clarify on the issue, and give us the details in the ticket submitted? As there is currently no mentioning of this problem in your support ticket.

Thanks.
User avatar
Support3
 
Posts: 6075
Joined: Wed Jan 02, 2008 11:08 am

Postby shsuhung » Thu Jan 27, 2011 11:17 pm

Hi,

As mentioned above i have provided the error that was encountered when performing the IP restriction.

Also it is nice that this was a "known issue" to Ahsay and was resolved with the version 5.5.8.0, but as i stated in my ticket "Why were we not informed of this when Ahsay found this out!". Hence why i have created this Topic to warn the community of the Major security flaw and see if anyone has encountered this, or even fixed this issue as i waited a response from Ahsay.

If you were reviewing my support ticket on this issue, you would have seen that longest time that i had to wait for a response is about 12 hours on such a critical issue as this.

I have submitted my ticket at the following time.
Ticket was submitted on 25 Jan @ 4:56PM
Support - 25 @ 2011 11:05 PM
User - 25 Jan @ 11:10 PM
Support - 25 Jan @ 11:48 PM
Support - 26 Jan @ 1:33 PM
User - 26 Jan @ 8:08 AM
User - 26 Jan @ 8:16 AM
Support - 26 Jan @ 8:08 PM


But at this point all i care about is getting this issue resolved and do not want to argue more about this. I will try the upgrade on the RDR ASAP and i will let everyone know if the upgrade has patched this major security hole.
shsuhung
 
Posts: 6
Joined: Thu Jan 27, 2011 12:05 am

Postby lasseoe » Thu Jan 27, 2011 11:47 pm

shsuhung wrote:Also it is nice that this was a "known issue" to Ahsay

To be perfectly honest, I don't think Ahsay knew there was a hole, it just so happens that "Bug fix - Authenticate using AhsayRDR admin instead of AhsayOBS login when calling API via AhsayRDR (ref: UUB-876085, T-4768) (available since v5.5.7.4)" fixed the issue, or rather the bug is probably still there, but you can't trigger it. But, I don't know for sure.

If they knew, and did nothing, then well.. best not say anything, it'll get censored.
Lasse
lasseoe
 
Posts: 292
Joined: Fri Oct 02, 2009 5:07 am

Postby shsuhung » Fri Jan 28, 2011 12:36 am

Well either way i still like to let other users know that are planning to use rdr or is using rdr of this issue, and how they can get this issue resolved.

Performed the Upgrade and confirmed that the Security hole has been patched but will perform further testing to make sure that this upgrade did not open up another hole.
shsuhung
 
Posts: 6
Joined: Thu Jan 27, 2011 12:05 am


Return to AhsayRDR

Who is online

Users browsing this forum: No registered users and 1 guest

Looking for Rbackup Alternative | Vembu Alternative | Novastor Alternative | Asigra Alternative | BackupAgent Alternative? Try our product.


A wholly owned subsidiary of Ahsay Backup Software Development Company Limited  [HKEx Stock Code: 8290]