[WebPub] Fwd: CPW Data on the web

Chris Peterson @ MIT chris.peterson at MIT.EDU
Fri May 11 14:57:36 EDT 2012 

Hi all -

Earlier today we discovered that some of the contents of the admissions athena locker were being publicly indexed via a server which was serving AFS via FTP. As a result, some security-by-obscurity directories that we did not link to were nonetheless accessible by Google and by manually crawling through a directory tree.

Upon some further review this seems to be the case for many AFS directories. See, e.g.,

ftp://amusing.mit.edu/afs/net/dev/admin/www/root/org/a/

While this may / may not be an issue for folks, it was unknown to me as of this morning, and so I wanted to make sure others were aware as well in case there is hidden stuff in your office athena accounts which shouldn't be available via this kind of crawl. In order to check whether there is, you should go to your office's athena locker, which should be accessible at

ftp://amusing.mit.edu/afs/net/dev/admin/www/root/org/X

Where X is the first letter of the name of your athena locker. There will be a list of athena lockers under there. Find yours, and navigate through it. If there is stuff there that is accessible to this sort of browsing which shouldn't be, you may want to contact Accounts to get help setting permissions appropriately. If, on the other hand, everything should be accessible, then it's all fine.

I just wanted to let other folks in the web community here know in case more things than you wished were being revealed via the FTP browsing.

Best,

- Chris

Begin forwarded message:

Hi Chris,

Quentin can explain on more detail (or I can once I get to a computer) but basically it's the last part of the URL that's relevant.  So the permissions in the "admissions" locker, in the "mitcpw_OLD2010" directory and/or its "pages" subdirectory are incorrect and allowing this access.  The server in question is serving the AFS filesystem but the contents are ultimately in the aforementioned directories.  Accounts (x3-1325) can help with permission changes if necessary.

Sent from my mobile device

On May 11, 2012, at 11:29 AM, "Chris Peterson @ MIT" <chris.peterson at MIT.EDU<mailto:chris.peterson at MIT.EDU>> wrote:

Hi Quentin -

Someone in DSL discovered a table of CPW host contact info while googling. It looks like it is hosted on amusing.mit.edu<http://amusing.mit.edu/>, which I am guessing, based on itsstuff.mit.edu/machine<http://stuff.mit.edu/machine> listing, is a SIPB XVM (I may be wrong).

>From poking around in the directory tree I am not sure if this is a mirror or an archive of the MIT Athena system. I am also not sure why it seems to be open to anyone, or what we need to do to remove the stuff we would like to remove. From my experience poking around it almost seems like someone just dumped much of Athena into a publicly accessible FTP directory...but I may be wrong.

Any insights into what this is, what we should do, or people to whom I should speak?

- Chris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/webpub/attachments/20120511/075ebe93/attachment.htm

More information about the WebPub mailing list