SPMS Security Issues. JACoW Team Meeting 2011 SINAP. Ivan Andrian JACoW

Transcription

1 SPMS Security Issues Team Meeting 2011 SINAP Ivan Andrian

2 Current security flaws SPMS is Oracle-based, installed in the Regional Support Centres The Upload/Download scripts are Perl-based, and run on a different server (the conference FileServer) The scripts do NOT have access to the DB for security reasons Different institutes/teams/policies Shared Oracle servers / conference server 2 Team Meeting 2011 SINAP SPMS Security Issues

3 URL spoofing By knowing the syntax of a Download URL it is possible to download whatever other Paper you want By building a well done HTML form, it is also possible to inject files onto the conference fileserver Limited to the papers directory (O.S. is safe!) All versions are kept and logs taken 3 Team Meeting 2011 SINAP SPMS Security Issues

4 Possible methods of security enhancement Connection to the DB (impossible for security reasons) Shared password (needs to be passed via HTTP insecure) Web Server source (SPMS) control (Apache, IIS, ) custom and non standard HTTP_REFERER medium quality measure (browser based) Hashed passwords 4 Team Meeting 2011 SINAP SPMS Security Issues

5 HTTP_REFERER check When clicking on a URL on a web page (or posting a FORM) usually brings the source URL to the target The web browser controls this behaviour Depends on the client s browser Custom-hacked browsers can modify this value Spoofable, even if difficult for the average user Proxies and firewalls can modify this value 5 Team Meeting 2011 SINAP SPMS Security Issues

6 HTTP_REFERER tests Upload/Download Scripts modified during IPAC2011 Now it is possible to configure a number of URLs as valid referrers in the configuration file A global password can override this behaviour (for direct downloads in batch Volker s JPSP) Unfortunately... doesn t work! 6 Team Meeting 2011 SINAP SPMS Security Issues

7 IPAC2011 production tests CERN RSP Oracle infrastructure (web/application server) File ESS Bilbao Ubuntu Linux LTS 7 Team Meeting 2011 SINAP SPMS Security Issues

8 Debugging: CERN ESS file upload (Perl) - DEBUG OPTIONS: { } REFERER == 'timeout' => 600, 'debug' => 1, 'referer_pwd_override' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'referer' => 0, Server filesystem type: Unix. Client platform detected: Linux FILENAME PARTS (NAME,DIR,EXT): FRYCA01.txt./ uploaded_file_info { 'Content-Type' => 'text/plain', 'Content-Disposition' => 'form-data; name="file_name"; filename="fryca01.txt"' } 8 Team Meeting 2011 SINAP SPMS Security Issues

9 Debugging: Elettra ESS file upload (Perl) - DEBUG OPTIONS: { 'timeout' => 600, 'debug' => 1, 'referer_pwd_override' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'referer' => 0, } REFERER == Server filesystem type: Unix. Client platform detected: Linux FILENAME PARTS (NAME,DIR,EXT): FRYCA01.txt./ uploaded_file_info { 'Content-Type' => 'text/plain', 'Content-Disposition' => 'form-data; name="file_name"; filename="fryca01.txt"' } 9 Team Meeting 2011 SINAP SPMS Security Issues

10 Debugging: CERN Elettra file upload (Perl) - DEBUG OPTIONS: { } REFERER == 'timeout' => 600, 'debug' => 1, 'referer_pwd_override' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'referer' => 0, Server filesystem type: Unix. Client platform detected: Linux FILENAME PARTS (NAME,DIR,EXT): FRYCA01.txt./ uploaded_file_info { 'Content-Type' => 'text/plain', 'Content-Disposition' => 'form-data; name="file_name"; filename="fryca01.txt"' } 10 Team Meeting 2011 SINAP SPMS Security Issues

11 Another solution Preshared key in SPMS & Scripts The SPMS could send (in clear) a HASH of the password and the paper code The Scripts could check the HASH against the known preshared key A different HASH for each paper ID not usable for crosspaper ID spoofing 11 Team Meeting 2011 SINAP SPMS Security Issues

12 What s needed for this method Agree on a hash algorithm (MD5? SHA1? ) Modify the SPMS code to pass this hash easy (Matt) Modify the Scripts to use/check this hash easy (Ivan) Use it! easy (*) 12 Team Meeting 2011 SINAP SPMS Security Issues

13 Conclusions We can improve security Modifying the upload/download scripts isn t enough With small changes to SPMS and UDS we can strengthen the SPMS 13 Team Meeting 2011 SINAP SPMS Security Issues

14 SPMS / Conference Website Data Exchange Team Meeting 2011 SINAP Ivan Andrian <ivan.andrian@elettra.trieste.it>

15 Tools to build a better Conference Website Examples: List of Participants Scientific Programme Abstract Submission Report Industrial Exhibition Layout and Reservations Industrial Exhibitors Report Delegate Registration Report 15 Team Meeting 2011 SINAP SPMS Security Issues

16 Conference WebSites variety Up to Conference Organisers tastes & infrastructure PHP ASP.Net Wiki-based sites CMS-based sites (WordPress, Joomla, Drupal,...) Impossible to standardise Could be a plus for the Conference (characterisation) 16 Team Meeting 2011 SINAP SPMS Security Issues

17 Different data extract types Open HTML pages from the SPMS List of Participants e.g. Conference WebSite can just grab data & display Open text data to be processed Conference dates Restricted text data to be processed List of Participants Now there s a dedicated SPMS Package: Xtract 17 Team Meeting 2011 SINAP SPMS Security Issues

18 Conference Dates e.g.: Conference WebSites (CWS) need to be up-to-date Possible inconsistency when changing SPMS values Live key dates taken from the SPMS Get Put the values onto the CWS as needed Procedure dependent on the CWS framework 18 Team Meeting 2011 SINAP SPMS Security Issues

19 List of Participants CSV format data extract Get Put the data onto the CWS as wanted Consistent names & Affiliation List No problems with special characters (ç, š, ñ, etc.) Just found a small bug! Will fix after TM (Sorry!) 19 Team Meeting 2011 SINAP SPMS Security Issues

20 Registration Statistics Build graphs of Registration Statistics trends Get Use the data within the CWS framework Put into CWS database & process Use Google Graphs etc. 20 Team Meeting 2011 SINAP SPMS Security Issues

21 Example (EPAC08-based) cron.php (cron: 1h exec... time: 1sec) Get Save attendees Get Save stats Create rrd db (system call: rrdtools 20/03/2008, 21, D create) Insert stats into db (system call: rrdtools update) Create graph (system call: rrdtools graph) Adjust image Remove db... "Boland","Mark","New Affiliation Request Pending","Australia","D" "Spencer","Martin","The Australian Synchrotron Project","Australia","D" "Conard","Milo","Particle Accelerator Consultants","Belgium","D"... 19/03/2008, 10, D 19/03/2008, 1, S 21/03/2008, 3, D Team Meeting 2011 SINAP SPMS Security Issues

22 22 Team Meeting 2011 SINAP SPMS Security Issues

23 Abstract submission report Similar to Registration Statistics data extract Day-by-day abstracts submitted counts CSV data to be processed Password-protected data extract (SPMS parameter) 23 Team Meeting 2011 SINAP SPMS Security Issues

24 Industrial Exhibition Layout The idea is to show a live map with booths status Booths Layout Available booths Reserved booths Reserved booths status taken from the SPMS External tools to create the map (PHP, libgd, etc.) Create a live image to display on registration page/cws 24 Team Meeting 2011 SINAP SPMS Security Issues

25 Procedure (EPAC08-based) png.php?f=0 SPMS Booth No. 63 Booth No. 64 Booth No. 65 Booth No. 66 Booth No. 67 Booth No. 68 Booth No. 69 Booth No. 70 Booth No. 71 Booth No. 72 Booth No Load boothsmap.dat Load boothsmapbase.png (libgd php functions) Draw booths (available / taken) Save & return boothsmap.png 63=[180,35,215,46] 64=[55,35,90,46] Team Meeting 2011 SINAP SPMS Security Issues

26 26 Team Meeting 2011 SINAP SPMS Security Issues

27 Scientific Programme Reports already exist in SPMS Pretty, but do not integrate well with CWSs Want ability customise the programme on CWS? OK, let s go! 27 Team Meeting 2011 SINAP SPMS Security Issues

28 Let s get the data first Based on the big post-conference XML Yes, it s big Did I tell you it s big? OK, I tell you. It s BIG For EPAC 08, it took ~300 to get (yes, 5 ) 28 Team Meeting 2011 SINAP SPMS Security Issues

29 So, let s do it every now and then... (w)get (every hour, exec time: 5, 15MB for EPAC08) xml2obj.php (exec time: 3 ) 1. Load spms.xml 2. Extract data from XML (php function: simplexml_load_file), build programme and abstract objects with essential fields 3. Save spms.programme (500KB) 4. Save spms.abstracts (1.1MB) 29 Team Meeting 2011 SINAP SPMS Security Issues

30 Create the final data files programme.php (cron: 1h exec time: 0.5 ) 1. Load spms.programme 2. Load spms.abstracts 3. Compose HTML programme pages 4. Save programme.xx-yy (1 per day) 5. Compose HTML abstract pages 6. Save abstract.xxxxxxx (1 per abstract) 30 Team Meeting 2011 SINAP SPMS Security Issues

31 Integrate into CWS Using the CWS framework tools, display the programme Easy to do with just HTML, CSS and JavaScript Load programme.xx-yy HTML page Compose page with link to extra CSS & JavaScript code (using prototype.js) Customised for the CWS styles 31 Team Meeting 2011 SINAP SPMS Security Issues

32 32 Team Meeting 2011 SINAP SPMS Security Issues

33 Extended to the venue 33 Team Meeting 2011 SINAP SPMS Security Issues

34 Conclusions and open questions There are things where the SPMS is not enough Dependent on CWS infrastructure and tools Something could be standardised Image maps creation We ll think of a central facility: Elettra probably easier support Scientific Programme: hard but nice We ll test the SPMS programme with CSS 34 Team Meeting 2011 SINAP SPMS Security Issues