18 April 2013

Dreamhost - security issue?

I'll post a chat transcript with the DreamHost support and then comment a little bit.
Please wait for a site operator to respond. 
All operators are currently assisting others. Thanks for your patience. An operator will be with you shortly.
All operators are currently assisting others. Thanks for your patience. An operator will be with you shortly.
All operators are currently assisting others. Thanks for your patience. An operator will be with you shortly.
You are now chatting with 'Brian'
Brian: Hi there, how can I help you?
Stefan: hello
Stefan: i have a strange issue
Brian: awesome, love those hehe
Stefan: i logged in with my credentials and i got another user account in my browser
Stefan: some <real name here>
Stefan: how is that possible ?
Brian: what email address did you login as?
Stefan: <my_email@address>
Brian: can you tell me the username you see? I logged in as you, and don't see anything weird
Stefan: i relog in and everything is ok
Stefan: but i was able to see <real name here>
Stefan: check his login history, you'll see a German IP connection to his account (that's mine) while he is from USA
Brian: awesome, seems weird you were able to see that. If it does happen again, not the usernames or domains you see and let us know
Stefan: i have a print screen with his account
Brian: we'd need the usernames, really
Brian: anything else I can help you with?
Stefan: where can i see his username? my safari session is still connected
Brian: https://panel.dreamhost.com/index.cgi?tree=users.users&
Stefan: <his_email@address>
Stefan: bleah... it logged me out now
Brian: that is odd
Stefan: indeed
Stefan: let me tell you something even stranger
Stefan: i'm on a brand new macbook air, never used it before, with a clean safari browser
Brian: yea that is strange
Brian: if it happens again, do not log out, and let us know, and we'll look into it
Stefan: as i mentioned above, i'm in Germany (Europe) and this guy is somewhere in California (I saw it in the account info)
Stefan: i didn't logout... the app logged me out automatically after couple of click (or waiting time)
Stefan: anything else I can help with for the investigation?
Brian: but you said you "relogged in", that would cause your session to be reset
Brian: don't do that, and simply start a chat instead
Stefan: i waited for a chat to connect about 30 minutes on the safari browser... this is chrome, seems to be faster
Brian: that's just us being backed up, not a difference in browsers. I apologize for that
Stefan: that's ok
Brian: anything else I can help with?
Stefan: nope, i'm good
Stefan: have a good day!
Brian: ok, you too!
Chat session has been terminated by the site operator.
So, tonight it seems that I was able to login to another user account via my Safari browser. That's the strangest thing ever happened and I'm not drunk or high at the moment.

What I don't like, is that the support guys, instead of trying to get more data from my side, just tried to close the chat connection. Maybe they are monitored on how long is a user connected.
2nd thing that I don't like, is the HUGE security issue that I've found. This is unacceptable.

I contacted the user in which account I logged in and told him what happened. It seems that he's a friend of a friend of mine.

His reply below:
Thanks Stefan,
Just a question, were you able to figure out the password or when you logged in to your account did mine show up?
I've had the second happen to me previously and they gave me some bullshit about cookies.
Just trying to figure out what happened.
So this is not the 1st time it happens. Luckily it was me who had access to all his domains, VPS and emails... I suggested him to change his password. Waiting to see if it will happen again.

09 April 2013

RIAK-CS: Create admin user error


While trying for hours to create an admin user, all online docs were sugesting to POST data to either http://localhost:8080/user or http://localhost:8080/riak-cs/user. None of them are completely right.

I was getting either "HTTP/1.1 404 Object Not Found" or "HTTP/1.1 403 Forbidden" or "HTTP/1.1 405 Method Not Allowed". Detailed output below.

# curl -v -H 'Content-Type: application/json' -X POST http://localhost:8080/riak-cs/user --data '{"email":"my@email.com", "name":"adminuser"}'
* About to connect() to localhost port 8080 (#0)
*   Trying localhost... connected
* Connected to localhost (127.0.0.1) port 8080 (#0)
> POST /riak-cs/user HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
> Host: localhost:8080
> Accept: */*
> Content-Type: application/json
> Content-Length: 48
>
< HTTP/1.1 405 Method Not Allowed
< Server: Riak CS
< Date: Mon, 08 Apr 2013 22:45:20 GMT
< Content-Length: 0
< Allow: HEAD, GET, DELETE, PUT
<
* Connection #0 to host localhost left intact
* Closing connection #0

# curl -v -H 'Content-Type: application/json' -X PUT http://localhost:8080/riak/user --data '{"email":"my@email.com", "name":"adminuser"}'
* About to connect() to localhost port 8080 (#0)
*   Trying localhost... connected
* Connected to localhost (127.0.0.1) port 8080 (#0)
> PUT /riak/user HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
> Host: localhost:8080
> Accept: */*
> Content-Type: application/json
> Content-Length: 48
>
< HTTP/1.1 404 Object Not Found
< Server: Riak CS
< Date: Mon, 08 Apr 2013 22:45:36 GMT
< Content-Type: application/xml
< Content-Length: 187
<
* Connection #0 to host localhost left intact
* Closing connection #0
<?xml version="1.0" encoding="UTF-8"?><Error><Code>NoSuchBucket</Code><Message>The specified bucket does not exist.</Message><Resource>/riak/user</Resource><RequestId></RequestId></Error>

# curl -v -H 'Content-Type: application/json' -X PUT http://localhost:8080/user --data '{"email":"my@email.com", "name":"adminuser"}'
* About to connect() to localhost port 8080 (#0)
*   Trying localhost... connected
* Connected to localhost (localhost) port 8080 (#0)
> PUT /user HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
> Host: localhost:8080
> Accept: */*
> Content-Type: application/json
> Content-Length: 48
>
< HTTP/1.1 403 Forbidden
< Server: Riak CS
< Date: Mon, 08 Apr 2013 22:49:10 GMT
< Content-Type: application/xml
< Content-Length: 159
<
* Connection #0 to host localhost left intact
* Closing connection #0
<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>/user</Resource><RequestId></RequestId></Error>

To fix it, I'm sure that's why you're here, I checked/changed the following:
1. In /etc/riak-cs/app.config, this is the most common mistake
from: {anonymous_user_creation, false},
to: {anonymous_user_creation, true},

2. In the CURL call, this is a documentation mistake.
curl -v -H 'Content-Type: application/json' -X POST http://127.0.0.1:8000/riak-cs/user --data '{"email":"my@email.com", "name":"admin"}'

Note the IP and PORT. Those are from /etc/riak-cs/app.conf the following settings:
{admin_ip, "127.0.0.1"},
{admin_port, 8000 } ,

I've spent about 4 hours to find this. Why don't you try a thank you below? :-)