On Wed, Nov 9, 2011 at 2:25 PM, Sam Johnston <[email protected]> wrote: > Apologies for the HTML — too many inline links. > > Sam > SploitCloud: exploiting cloud brokers for fun and > profit<http://samj.net/2011/10/sploitcloud.html>
[SNIP] > *Update:* If you look at the code you'll see the hourly rate is passed to > the client as "*cost*" and presumably trusted on return (if not, why is > it there?). I haven't seen a price manipulation > vulnerability<http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>in > over a decade, but I'm not tinkering with it because I don't fancy being > accused of stealing from them or their providers. > > *Update:* While the consumer API <http://dl.enomaly.com/scbuyerapi> now > uses OAuth, the provider API <http://dl.enomaly.com/scprovider> still > uses Amazon's vulnerable > signatures<http://www.daemonology.net/blog/2008-12-18-AWS-signature-version-1-is-insecure.html>for > authentication: > > #sorts by key.lowercase(). ie A b c Dee e ffFf > sorted_keys = sorted(parameters.keys(), key=lambda k: k.lower()) > > #concatenates key,value pairs. a=1,b=2,C=32 becomes "a1b2C32" > data = ’’.join(key + parameters[key] for key in sorted_keys) > > #Data is now: > ecp_usernamespotcloudusernameparamAvalueTimestamp2006-12-08T07:48:03Z > digest = hmac.new(’spotcloudpassword’, data, sha).digest() > > > This may have been safe over SSL were it not for the fact that client > libraries (including python) typically don't validate the certificate chain > by default. > > http://bugs.python.org/issue1589 "Unfortunately, hostname matching is one of those ideas that seemed better when it was thought up than it actually proved to be in practice. I've had extensive experience with this, and have found it to almost always an application-specific decision..." and "It's more of a missing feature than a security issue in itself..." Jeff
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
