heybuddy bypasses certificate checking when verifying credentials

Bug #798300 reported by Evgeni Golov
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
heybuddy
Critical
jezra

Bug Description

Inspired by http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608724 and https://bugs.launchpad.net/gwibber/+bug/705363 I tried the same in heybuddy (0.2.1).

1. Start heybuddy
2. Provide some invented username and password and "badcert.dorei.kerker.die-welt.net/notstatusnet" as Service (there is no StatusNet instance on that host, just my local apache with a self-signed cert)
3. Submit
4. Watch heybuddy connecting and failing "Service Not Found" (as said, there is no StatusNet instance)

Look in the logfile of my apache:
my.ip.addr.ess - - [16/Jun/2011:17:53:43 +0200] "GET /notstatusnet/api/account/verify_credentials.xml HTTP/1.1" 404 1691 "-" "Python-urllib/2.6"

The requests comes from Communicator.verify_credentials():
                authheader = self.get_auth_string(name, password)
                request = urllib2.Request(url)
                request.add_header("Authorization", authheader)
et voila, my password would have been sent to someone who could hijack my connection/dns/whatever.

Python's urllib is sadly not the best thing to handle that stuff :(

Revision history for this message
jezra (jezra) wrote :

Thanks for bringing this to my attention. I have a feeling this is going to be a difficult fix for the Maemo version.

Changed in heybuddy:
status: New → Confirmed
importance: Undecided → Critical
assignee: nobody → jezra (jezra)
Revision history for this message
Evgeni Golov (evgeni) wrote :

I have a fix handy using httplib2. It has two issues though:
 1. needs httplib2 (obviously)
 2. has a hard-coded path to a certificates file on my Debian system (will work on Ubuntu too, no idea about anything else)

See the attached patch.
I can push it to bzr if you don't mind disclosing this issue to the public.

Revision history for this message
jezra (jezra) wrote :

Thanks for the patch. I'm hoping to find a fix that doesn't require a 3rd party python module. However, When I get home, I'll run some tests of the SSL module and, if I can't get that to work satisfactorily, I'll be implementing your patch.

visibility: private → public
Revision history for this message
Evgeni Golov (evgeni) wrote :

have a look at http://stackoverflow.com/questions/1087227/validate-ssl-certificates-with-python/3551700#3551700 then
code works (I tried), point 2 of my previous post applies though :(

Revision history for this message
jezra (jezra) wrote :

Would it be alright with you if I used 'badcert.dorei.kerker.die-welt.net/notstatusnet' to test some code?

Revision history for this message
Evgeni Golov (evgeni) wrote :

sure you can, the machine should stand your "DoS" just fine ;)
you also can install a local apache and enable the ssl-snakeoil cert in it :)

jezra (jezra)
Changed in heybuddy:
status: Confirmed → Fix Committed
Revision history for this message
Evgeni Golov (evgeni) wrote : Re: [Bug 798300] Re: heybuddy bypasses certificate checking when verifying credentials

On 06/17/2011 08:11 PM, jezra wrote:
> ** Changed in: heybuddy
> Status: Confirmed => Fix Committed

Thanks!
Stuff from stackoverflow seems to be CC-SA licensed, you should add
proper information to the new created file :)
And while at it, the source looks strangely indented on some lines, like
here:
http://bazaar.launchpad.net/~jezra/heybuddy/trunk/view/head:/CertificateValidatingHTTPSHandler.py#L62

regards
Evgeni

jezra (jezra)
Changed in heybuddy:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers