Mailinglist Archive: opensuse-bugs (9718 mails)
| < Previous | Next > |
[Bug 342605] New: Links to YMP files (1-click install) shouldn' t be freely editable by everybody
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Sun, 18 Nov 2007 15:46:08 -0700 (MST)
- Message-id: <bug-342605-21960@xxxxxxxxxxxxxxxxxxxxxxxxx/>
https://bugzilla.novell.com/show_bug.cgi?id=342605
Summary: Links to YMP files (1-click install) shouldn't be freely
editable by everybody
Product: openSUSE.org
Version: unspecified
Platform: Other
OS/Version: Other
Status: NEW
Severity: Critical
Priority: P5 - None
Component: wiki
AssignedTo: bnc-team-screening@xxxxxxxxxxxxxxxxxxxxxx
ReportedBy: bugreports@xxxxxxxxxx
QAContact: adrian@xxxxxxxxxx
Found By: ---
Since openSUSE 10.3, the wiki contains a lot of links to YMP files for 1-click
installation. These links can be edited by anybody with a freshly created
Novell account.
So for example on http://en.opensuse.org/NVIDIA, somebody could simple change
the 1-click installation link from http://opensuse-community.org/nvidia.ymp to
http://opensuse-trojan.org/trojan.ymp, with trojan.ymp being a YMP that pulls
in malicious software. This is dangerous for three reasons:
1) Even now the YMP files are not always hosted on opensuse.org, so even if the
user checks the status line of his browser when clicking on the "1-click
installation" link (and quite frankly, most won't), they will not see anything
wrong with it, as long as the URL sounds nice (the malicious YMP could just be
hosted on a domain like opensuse-ymp-packages.org or something).
2) The OpenPGP keys for most repositories are not shipped with openSUSE 10.3.
This means the user will be asked to accept the key of the repository no matter
if it is the real repository or a malicious repository.
3) To the user the wiki seems like an official SUSE site and it is very often
referenced when users seek help with a certain topic. This means, lots of users
will hit wiki pages and use 1-click install links from the wiki without much
critical thinking.
Quite frankly, I don't see what would prevent an attacker from just editing a
wiki page and changing 1-click install links to point to his malicious YMPs and
compromise lots of computers in no time, because the average user has little to
no chance to see that something is wrong with the YMPs. Of course, sooner or
later somebody will notice it and revert the wiki changes, but there is no way
to tell how soon that will happen and how many PCs will have become compromised
by then. This is why I think that this should really be addressed.
An easy solution could be to move all YMP files to opensuse.org and only allow
1-click installation links to point to URLs on opensuse.org. But I am not an
expert on legal matters (can the YMPs be moved to an official openSUSE server?)
or the Wiki.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Summary: Links to YMP files (1-click install) shouldn't be freely
editable by everybody
Product: openSUSE.org
Version: unspecified
Platform: Other
OS/Version: Other
Status: NEW
Severity: Critical
Priority: P5 - None
Component: wiki
AssignedTo: bnc-team-screening@xxxxxxxxxxxxxxxxxxxxxx
ReportedBy: bugreports@xxxxxxxxxx
QAContact: adrian@xxxxxxxxxx
Found By: ---
Since openSUSE 10.3, the wiki contains a lot of links to YMP files for 1-click
installation. These links can be edited by anybody with a freshly created
Novell account.
So for example on http://en.opensuse.org/NVIDIA, somebody could simple change
the 1-click installation link from http://opensuse-community.org/nvidia.ymp to
http://opensuse-trojan.org/trojan.ymp, with trojan.ymp being a YMP that pulls
in malicious software. This is dangerous for three reasons:
1) Even now the YMP files are not always hosted on opensuse.org, so even if the
user checks the status line of his browser when clicking on the "1-click
installation" link (and quite frankly, most won't), they will not see anything
wrong with it, as long as the URL sounds nice (the malicious YMP could just be
hosted on a domain like opensuse-ymp-packages.org or something).
2) The OpenPGP keys for most repositories are not shipped with openSUSE 10.3.
This means the user will be asked to accept the key of the repository no matter
if it is the real repository or a malicious repository.
3) To the user the wiki seems like an official SUSE site and it is very often
referenced when users seek help with a certain topic. This means, lots of users
will hit wiki pages and use 1-click install links from the wiki without much
critical thinking.
Quite frankly, I don't see what would prevent an attacker from just editing a
wiki page and changing 1-click install links to point to his malicious YMPs and
compromise lots of computers in no time, because the average user has little to
no chance to see that something is wrong with the YMPs. Of course, sooner or
later somebody will notice it and revert the wiki changes, but there is no way
to tell how soon that will happen and how many PCs will have become compromised
by then. This is why I think that this should really be addressed.
An easy solution could be to move all YMP files to opensuse.org and only allow
1-click installation links to point to URLs on opensuse.org. But I am not an
expert on legal matters (can the YMPs be moved to an official openSUSE server?)
or the Wiki.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
| < Previous | Next > |