security-problem!? possible information-leakage

devzero at web.de devzero at web.de
Sun Feb 18 13:04:19 UTC 2007


Hello, 

i was trying to download a gzip snapshot from some mercurial repository. 
this always worked without a problem with my webbrowser, but always failed with wget from commandline.
so i wondered why it failed and also tried curl, another commandline utility for fetching web-content.

i got some weird error response which looks a little bit too "noisy".

here is parts of that error message:

--snipp--
<p>A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.</p>
<table width="100%" cellspacing=0 cellpadding=0 border=0>
--snipp--

now the more interesting part of that error message:

<tr><td><small><font color="#909090">result <em>undefined</em>, <strong>application</strong> = <mercurial.hgweb.request.wsgiapplication object>, <strong>environ</strong> = {'DOCUMENT_ROOT': '/var/www/localhost/htdocs', 'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTP_ACCEPT': 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*', 'HTTP_HOST': '###hidden###', 'HTTP_PRAGMA': 'no-cache', 'HTTP_USER_AGENT': 'curl/7.11.0 (i686-suse-linux) libcurl/7.11.0 OpenSSL/0.9.7d ipv6 zlib/1.2.1', 'PATH': '/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin:/u...:/usr/qt/3/bin:/opt/vmware/server/bin:/usr/NX/bin', 'PATH_INFO': '###hidden###', 'PATH_TRANSLATED': '/var/www/localhost/htdocs/###hidden###', 'QUERY_STRING': 'ca=tip', ...}, <strong>start_response</strong> = <function start_response></font></small></td></tr></table>


as you can see, the server running mercurial web-frontend is also running vmware, nomachine NX and probably has installed KDE/XServer (QT3). (at least, PATH variables being set appropriately).
for security aware people, this is "informational leakage": some application accidentally telling details about the system, which hackers probably could exploit.

this happened with version 0.9.1 - i cannot tell if it exists for other versions and i cannot tell if this is caused by (webserver) misconfiguration or if this is a bug or some bad exception-handling inside the application - but i think it needs to be discussed, so that`s why i`m posting to this list.

you may reproduce on your own by getting curl and try some mercurial repositories, easy to find via google: http://www.google.de/search?q=%22Mercurial+Repositories%22+gz

regards
roland k. 
sysadmin

_____________________________________________________________________
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=000000000066




More information about the Mercurial mailing list