Monday, April 6. 2020
Userdir URLs like https://example.org/~username/ are dangerous
I would like to point out a security problem with a classic variant of web space hosting. While this issue should be obvious to anyone knowing basic web security, I have never seen it being discussed publicly.
Some server operators allow every user on the system to have a personal web space where they can place files in a directory (often ~/public_html) and they will appear on the host under a URL with a tilde and their username (e.g. https://example.org/~username/). The Apache web server provides such a function in the mod_userdir module. While this concept is rather old, it is still used by some and is often used by universities and Linux distributions.
From a web security perspective there is a very obvious problem with such setups that stems from the same origin policy, which is a core principle of Javascript security. While there are many subtleties about it, the key principle is that a piece of Javascript running on one web host is isolated from other web hosts.
To put this into a practical example: If you read your emails on a web interface on example.com then a script running on example.org should not be able to read your mails, change your password or mess in any other way with the application running on a different host. However if an attacker can place a script on example.com, which is called a Cross Site Scripting or XSS vulnerability, the attacker may be able to do all that.
The problem with userdir URLs should now become obvious: All userdir URLs on one server run on the same host and thus are in the same origin. It has XSS by design.
What does that mean in practice? Let‘s assume we have Bob, who has the username „bob“ on exampe.org, runs a blog on https://example.org/~bob/. User Mallory, who has the username „mallory“ on the same host, wants to attack Bob. If Bob is currently logged into his blog and Mallory manages to convince Bob to open her webpage – hosted at https://example.org/~mallory/ - at the same time she can place an attack script there that will attack Bob. The attack could be a variety of things from adding another user to the blog, changing Bob‘s password or reading unpublished content.
This is only an issue if the users on example.org do not trust each other, so the operator of the host may decide this is no problem if there is only a small number of trusted users. However there is another issue: An XSS vulnerability on any of the userdir web pages on the same host may be used to attack any other web page on the same host.
So if for example Alice runs an outdated web application with a known XSS vulnerability on https://example.org/~alice/ and Bob runs his blog on https://example.org/~bob/ then Mallory can use the vulnerability in Alice‘s web application to attack Bob.
All of this is primarily an issue if people run non-trivial web applications that have accounts and logins. If the web pages are only used to host static content the issues become much less problematic, though it is still with some limitations possible that one user could show the webpage of another user in a manipulated way.
So what does that mean? You probably should not use userdir URLs for anything except hosting of simple, static content - and probably not even there if you can avoid it. Even in situations where all users are considered trusted there is an increased risk, as vulnerabilities can cross application boundaries. As for Apache‘s mod_userdir I have contacted the Apache developers and they agreed to add a warning to the documentation.
If you want to provide something similar to your users you might want to give every user a subdomain, for example https://alice.example.org/, https://bob.example.org/ etc. There is however still a caveat with this: Unfortunately the same origin policy does not apply to all web technologies and particularly it does not apply to Cookies. However cross-hostname Cookie attacks are much less straightforward and there is often no practical attack scenario, thus using subdomains is still the more secure choice.
To avoid these Cookie issues for domains where user content is hosted regularly – a well-known example is github.io – there is the Public Suffix List for such domains. If you run a service with user subdomains you might want to consider adding your domain there, which can be done with a pull request.
Some server operators allow every user on the system to have a personal web space where they can place files in a directory (often ~/public_html) and they will appear on the host under a URL with a tilde and their username (e.g. https://example.org/~username/). The Apache web server provides such a function in the mod_userdir module. While this concept is rather old, it is still used by some and is often used by universities and Linux distributions.
From a web security perspective there is a very obvious problem with such setups that stems from the same origin policy, which is a core principle of Javascript security. While there are many subtleties about it, the key principle is that a piece of Javascript running on one web host is isolated from other web hosts.
To put this into a practical example: If you read your emails on a web interface on example.com then a script running on example.org should not be able to read your mails, change your password or mess in any other way with the application running on a different host. However if an attacker can place a script on example.com, which is called a Cross Site Scripting or XSS vulnerability, the attacker may be able to do all that.
The problem with userdir URLs should now become obvious: All userdir URLs on one server run on the same host and thus are in the same origin. It has XSS by design.
What does that mean in practice? Let‘s assume we have Bob, who has the username „bob“ on exampe.org, runs a blog on https://example.org/~bob/. User Mallory, who has the username „mallory“ on the same host, wants to attack Bob. If Bob is currently logged into his blog and Mallory manages to convince Bob to open her webpage – hosted at https://example.org/~mallory/ - at the same time she can place an attack script there that will attack Bob. The attack could be a variety of things from adding another user to the blog, changing Bob‘s password or reading unpublished content.
This is only an issue if the users on example.org do not trust each other, so the operator of the host may decide this is no problem if there is only a small number of trusted users. However there is another issue: An XSS vulnerability on any of the userdir web pages on the same host may be used to attack any other web page on the same host.
So if for example Alice runs an outdated web application with a known XSS vulnerability on https://example.org/~alice/ and Bob runs his blog on https://example.org/~bob/ then Mallory can use the vulnerability in Alice‘s web application to attack Bob.
All of this is primarily an issue if people run non-trivial web applications that have accounts and logins. If the web pages are only used to host static content the issues become much less problematic, though it is still with some limitations possible that one user could show the webpage of another user in a manipulated way.
So what does that mean? You probably should not use userdir URLs for anything except hosting of simple, static content - and probably not even there if you can avoid it. Even in situations where all users are considered trusted there is an increased risk, as vulnerabilities can cross application boundaries. As for Apache‘s mod_userdir I have contacted the Apache developers and they agreed to add a warning to the documentation.
If you want to provide something similar to your users you might want to give every user a subdomain, for example https://alice.example.org/, https://bob.example.org/ etc. There is however still a caveat with this: Unfortunately the same origin policy does not apply to all web technologies and particularly it does not apply to Cookies. However cross-hostname Cookie attacks are much less straightforward and there is often no practical attack scenario, thus using subdomains is still the more secure choice.
To avoid these Cookie issues for domains where user content is hosted regularly – a well-known example is github.io – there is the Public Suffix List for such domains. If you run a service with user subdomains you might want to consider adding your domain there, which can be done with a pull request.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Thanks for your article and the very practical advice!
Don't you feel like this is a problem with the web (as it is today) in general? It has to do with client-side scripting (as decided by the server) as an anti-feature.
Some protocols like Gemini ( https://gemini.circumlunar.space/docs/faq.txt ) try to reinvent a simpler web (or more advanced gopherspace). But still i wonder if the web has to be doomed. Shouldn't we aim to build entirely noscript websites and browsers?
Cheers
Don't you feel like this is a problem with the web (as it is today) in general? It has to do with client-side scripting (as decided by the server) as an anti-feature.
Some protocols like Gemini ( https://gemini.circumlunar.space/docs/faq.txt ) try to reinvent a simpler web (or more advanced gopherspace). But still i wonder if the web has to be doomed. Shouldn't we aim to build entirely noscript websites and browsers?
Cheers
The multi-tenant webserver model in edus is fine. If a malicious script was found in someone's directory, you could pinpoint the flesh and blood person. Once you have large numbers of anonymous user accounts that cannot be tied to a person, then that becomes an issue. Generally once the application becomes a viable economic entity, it's not likely that the application is on a machine with this usage model. Or rather, you have to trust that the magical triumvirate of https, dns and public key infrastructure is working such that everything is working ok.
If you're doing something more serious, wouldn't the application try to do it's own certificate pinning?
If you're doing something more serious, wouldn't the application try to do it's own certificate pinning?
> If a malicious script was found in someone's directory, you could pinpoint the flesh and blood person.
That's not true. By the time you find out the person could've deleted the code. (Unless you log all filesystem changes.) Or the person could claim plausible deniability by installing code with an XSS that is used by the attack.
> If you're doing something more serious, wouldn't the application try to do it's own certificate pinning?
I have no idea what this has to do with the described attack.
That's not true. By the time you find out the person could've deleted the code. (Unless you log all filesystem changes.) Or the person could claim plausible deniability by installing code with an XSS that is used by the attack.
> If you're doing something more serious, wouldn't the application try to do it's own certificate pinning?
I have no idea what this has to do with the described attack.
> That's not true. By the time you find out the person could've deleted the code. (Unless you log all filesystem changes.) Or the person could claim plausible deniability by installing code with an XSS that is used by the attack.
Yes that's true. On the other hand, the cost of this might be negligible. Or rather the cost of this on the institution might be negligible if a student get's breached, even if it is leveraged to a broader scope, like for example the student's home environment, since that is not within the institution's purview.
> I have no idea what this has to do with the described attack.
i'll have to think about that one a bit as well
Yes that's true. On the other hand, the cost of this might be negligible. Or rather the cost of this on the institution might be negligible if a student get's breached, even if it is leveraged to a broader scope, like for example the student's home environment, since that is not within the institution's purview.
> I have no idea what this has to do with the described attack.
i'll have to think about that one a bit as well