By default the directories have indexes off so that helps. It is very easy to have a script check every possible directory combination. most executives like to name things like salaries.xls or budget2015.xls. I am sure you can see where I am going with this by now. He of course could as it is just placed on the web server and no authentication information was checked as HipChat had a client and having people login through multiple programs is a pain.
HIPCHAT DOWNLOAD LINUX DOWNLOAD
How we found this out was we had an executive send some financial data in a spread sheet to send another executive who happened to be in charge of one of the IT related departments and decided to check if having the link he could download it from another computer that was not logged into HipChat. Now if you just delete the file from the filesystem a maintenance script that would run periodically would actually fail causing additional issues. The filenames remain the same as what was uploaded. All of the directories used by HipChat are the same length (iirc it was something like 12 characters) and consist of standard characters. While I am sure we can all agree obscurity is not security they further complicate this issue by a default installation not checking for brute attempts. Atlassian saw this as a non issue because of the fact that a random char string is used as a directory the file is uploaded to. The issue is that once a file is uploaded to HipChat, it can never be removed.
As I am not contracting for that company any more I am unable to verify for sure. However it is possible that they have fixed it. Now I checked the changelog for hipchat and did not see anything since I know we told them about it which makes me think that it is probably still an issue (I doubt that they ninja fixed it as it would require a feature addition).
I came across some chat stuff earlier and it reminded me about the issue which at the time I found a work around to fix but figured I should warn everyone about.
HIPCHAT DOWNLOAD LINUX SOFTWARE
While there were no issues with the software we did run into what I would call a pretty big security issue regarding file uploads, when we contacted them they brushed it off as not a security issue. Everything was self hosted and a few services shared the same server so it was all proxied through Apache. Last year I was doing some consulting for a company that relied on HipChat (well the whole Atlassian suite really) for a few hundred employees.
0 kommentar(er)
