Security upgrade

2017-03-06 - News - Tony Finch

A number of security vulnerabilities in the IP Register web user interface have been fixed.

XSRF

The most terrifying vulnerability was cross-site request forgery. If an IP Register user who was logged in to Raven clicked a malicious link, any web site could make changes to the database.

This has been fixed by adding an XSRF token. The change should be invisible in normal use; if you get an XSRF error then there is a bug, so please let the IP Register team know.

The XSRF token is a hidden field in the form containing an expiry time (12 hours), a random number (which cannot be predicted by an attacker), and an HMAC signature generated using the Jackdaw session cookie and a secret. This guarantees that a form submission was created reasonably recently from a legitimate IP Register web page.

Non-interactive clients authenticated using long-term cookies are exempt from XSRF checks.

GET/POST confusion

The web user interface assumed that all requests were POST, but it did not actually check the HTTP method. This allowed an XSRF attacker to make changes to the database using only a GET request.

Now, interactive GET requests have their query parameters cleared so that they cannot make changes. This is more consistent with HTTP semantics. This change should also be invisible since the IP Register web forms only use POST.

Non-interactive clients authenticated using long-term cookies may use GET requests for read-only list_* actions on the list_ops form.

2FA for privileged users

Members of the IP Register team who have read/write access to the entire database must now use TOTP (time-based one-time passwords) to gain access to the web user interface, in addition to Raven authentication.

UIS passwords are promiscuously exposed to multiple computer systems, so they should not be relied on as the sole authenticator for privileged users. Before this change, if a system using UIS passwords was compromised, it would have been easy for the attacker to pwn our whole DNS, which in turn would have made it easy to compromise other systems.

This 2FA setup is a prototype, to give us some practical experience with running TOTP on a small scale. We would like to offer it more widely to other users of the IP Register database but we aren't currently able to do so.

Cosmetic tweaks

As well as the security fixes, the IP Register web page header has been slightly adjusted.

  • The "clear" button is now a link, so that it doesn't provoke an XSRF failure.

  • The "debug" tickybox was broken. It now works, but is restricted to members of the IP Register team.

  • The "prefix" option which controls global read-only and read/write privileges for certain UIS staff has changed from a text box to a drop-down menu.

  • The "help" link has moved from the left to the right to make it more prominent.