A Radio Community Server security vulnerability and exploit were posted on NTBugtraq Sunday, as spotted by Ham Journalism. From the report: "This vulnerability makes it possible for an intruder to use the open SOAP or XML-RPC APIs published at http://www.soapware.org/xmlStorageSystem to create user accounts and upload random file data to any server running the Radio Community Server as published by UserLand Software Inc. at http://rcs.userland.com."

Comments

Comments and mail messages are usually both limited in what they can put on your server. This "security vulnerability" (I intentionally didn't call it a hole) allows anything to be put on an RCS (or PyCS) and served to the world. Maybe it's a feature rather than a bug, but now that an exploit has been made available, I'm hoping to see more discussion in the Radio Userland community so we can evaluate whether there's a risk here. I don't know the answer to that question.

This 'hole' is kind of the whole point of the 'community server' idea.

The advisory is basically saying that you can create an account through XMLRPC and then upload files that you can then download over the web. That's certainly true for RCS, PyCS and phpStorageSystem, because that's what they're for.

Running a community server means running a server for the community: anyone can store files on it, which will be served to the web. It's like running an open FTP server, except a little more obscure.

That said, RCS has an 'allow no more users' option, and PyCS and phpStorageSystem have a 'max usernum' variable which limits the number of accounts that can be created. The amount of data an individual user can store on the server is limited as well, so you can limit the amount of disk space people can use to ( amount per user * number of users ).

If you want to use PyCS or PSS on a private website, create all the accounts you want and then set the max usernum variable to zero. That will stop people from dumping random stuff on your server.

This certainly needs to be discussed. I was a little concerned about the idea of allowing anyone to create an account and store stuff on my server when coding PyCS, but nobody seems to have abused it.

As with Wikis - you have the power to change anything you like, but people don't seem to go in and deface or mass-delete Wiki pages.

Any ideas on suitable access control methods?

Add a Comment

These HTML tags are permitted: <p>, <b>, <i>, <a>, and <blockquote>. A comment may not include more than three links. This site is protected by reCAPTCHA (for which the Google Privacy Policy and Terms of Service apply).