Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #2230 (closed)

Opened 9 years ago

Closed 9 years ago

Last modified 9 years ago

Assess security risk of Spider scripts.

Reported by: wmoore Owned by: wmoore
Priority: minor Milestone: OMERO-Beta4.2
Component: General Version: n.a.
Keywords: n.a. Cc:
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: 0.0d
Sprint: 2010-04-16 (7)

Description (last modified by wmoore)

Might be dangerous to allow users to upload and run arbitrary Spider Procedure files on the server.

Users can run any of the Spider commands listed http://www.wadsworth.org/spider_doc/spider/docs/operations_doc.html

Most of these process an image (or text) and may create files.

At most risk is the delete command: http://www.wadsworth.org/spider_doc/spider/docs/man/de.html

This will delete a file named as specified, with the extension used in the script (E.g. "dat"). Security would be improved by enforcing the "dat" extension. r6658.

Seems that it is possible to delete files in a parent directory to the one that the script is run in, or any file in the file system that has the correct file extension. 

 wjm:~ will$ cd Documents/dev/SPIDER/test
wjm:test will$ spider dat

 \__`O O'__/        SPIDER  --  COPYRIGHT
 ,__xXXXx___        HEALTH RESEARCH INC., ALBANY, NY.
  __xXXXx__
 /  /xxx\  \        VERSION:  UNIX  18.03 ISSUED: 08/31/2009
   /     \          DATE:     15-APR-2010    AT  16:00:41




*** FILE NOT FOUND: Applications/spiderweb/spider/bin/Nextresults                                  

 Results file: results.dat.000                                                                 
 Running: spider                                                                                                                                                          
 .OPERATION: DE
 DE
 .DELETE FILE: ../tmp001
  ../tmp001 
  DELETED: ../tmp001.dat
  
 .OPERATION: DE
 DE
 .DELETE FILE: /Users/will/Desktop/win001
  /Users/will/Desktop/win001 
  DELETED: /Users/will/Desktop/win001.dat
  
 .OPERATION: DE
 DE
 .DELETE FILE: /Users/will/Desktop/Picture36
  /Users/will/Desktop/Picture36 
  NO SUCH FILE: /Users/will/Desktop/Picture36.dat
  
 .OPERATION: DE  
 DE
 .DELETE FILE: /Users/will/Desktop/Picture36.png
  /Users/will/Desktop/Picture36 
  NO SUCH FILE: /Users/will/Desktop/Picture36.dat
  
 .OPERATION:

So, this is definitely a security risk. The Spider scripts themselves should probably be vetted by admin. Add warning to script itself r6659.

Change History (8)

comment:1 Changed 9 years ago by wmoore

  • Description modified (diff)

comment:2 Changed 9 years ago by cxallan

  • Sprint changed from 2010-04-02 (6) to 2010-04-16 (7)

comment:3 Changed 9 years ago by wmoore

  • Status changed from new to assigned

comment:4 Changed 9 years ago by wmoore

r6658 removes file extension from Spider script parameters.

comment:5 Changed 9 years ago by wmoore

  • Description modified (diff)

comment:6 Changed 9 years ago by wmoore

  • Description modified (diff)

comment:7 Changed 9 years ago by wmoore

  • Description modified (diff)
  • Remaining Time changed from 0.5 to 0
  • Resolution set to fixed
  • Status changed from assigned to closed

comment:8 Changed 9 years ago by wmoore

  • Description modified (diff)
Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.80278 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!