Help with security in a project

Scripting Forums AppleScript | Mac OS X
#1

Hi all!

I released yesterday an interesting (at least for me) little “information center” for email clients (supporting Entourage, Mail, Mailsmith and PowerMail).

Basically, you, as end user, send me a message with subject “commander?doSomething=whatever”. In my email client, is executed the script “commander” with the provided parameters. These parameters will call the requested module (for example “sendMeDocs”), which is another script which will execute some actions and return a result. This result is commonly the body for the answer to the original message and could also include attachments.

I use it, for example, when I’m out of home and need information from my databases, entries in my Address Book, and even as a print center, where I send a document and it is returned as PDF or passed to the printer.

Well, it works fine for me.

However, when I release this to the public domain, there is a great inconsistence: security. Though “commander” keeps a list of authorized email addresses or domains, you know it is very easy faking an email address. Though it is very difficult for me guess if you installed “commander” in your machine attached to a very particular email account, I could still send you an email and test if it is installed, so this is a so-called “security hole”.

You can see the first warnings here:

http://www.macupdate.com/info.php/id/13434
http://www.versiontracker.com/dyn/moreinfo/macosx/21671
http://scriptbuilders.net/category.php?id=1581

Well, there are two solutions:

  • Forget “commander” and trash it forever.
  • Attempt to create a security system.
    I’d like take a look to the security system stuff and I’d like some help from you. I thought the following:
  • Create a simple permissions manager where a particular mail address has associated a password. This password may ride from mail-to-mail as plain text. So, potential hackers may catch it, though it is not very probably there are hackers looking to my poor bytes :?:
  • Instruct the user to change the name of “modules”. commander will execute the following actions when this is the subject:
    commander?moduleName=parameters
    Then it will execute “moduleName”. If you change the name of the provided module “help” to “sdfksfduoiewriuoifdsoiu”, it maybe difficult for a folk guess the name of such module and, consequently, attempt to access its capabilities.
    However, the stupid hacker could still listen the connection.

Well… I’m missing here. Any ideas?

#2

I don’t quite see what the issue is with security. The tool (which is very cool and useful, by the way), only works with modules that are created by the user, it does not actually compile and execute code, correct? So as long as the user doesn’t create a module that can delete files, compile the code and run the script, or do some other malicious action, why is this a security risk? The only problem I see is that it will be pretty easy to overload a system (essentially a DOS attack) with repeated requests but this seems like a low-chance risk compared to the benefits this tool provides.

I developed a similar tool a few years ago to repackage messages. I had a business account that required authentication and when I was at a public computer I didn’t feel comfortable sending the passwords. So, I wrote a script/rule combination that would take an incoming message from a specific email address with a specific subject line prefix, and then pull out the relevant subject, to, cc, bcc, body, and attachments and create a new message from my business account and send that off. This required an always on machine at my base location and was quite useful.

Jon

#3

Yep! My beginnings were also at my old work (an editorial). The user sent a message to an allways-on machine with some instructions and the script made a pdf from a network quark document, and sent it back to the user…

The point of view of some users is the following: aaaah! Seems that a folk called “jonn8” perhaps installed the stuff called “commander”… I’ll send him this message: “commander?find=/Users,registration,10”
Oh, well, definitivelly he installed “commander” and here is back the response:
/Users/jonn8/bank accounts/registration numbers and credit cards.txt
/Users/jonn8/projects/FWM/registration algorythm.scpt
Fine! This is pretty interesting, I think I need such documents… (he, he, he). I’ll inquiry “commander” again: “commander?sendMeDocs=/Users/jonn8/bank accounts/registration numbers and credit cards.txt,/Users/jonn8/projects/FWM/registration algorythm.scpt”

Now, do you see the point? If I eliminate “sendMeDocs” or “find” or “ls” or “computer” (which can force-shutdown the machine), “commander” is not funny! :lol:

  • these are some of the built-in modules included with the distribution