Dialogic Support Helpweb
Dialogic® IP Media Server
How to disable file access through port 8000 for the Dialogic IP Media Server
Symptom:
It is possible via the web to access certain files on the Dialogic® IP Media Server and view them through port 8000. This is an unwanted by-product of the normal operation of the fido process. Port 8000 is used by default by the fido process to get files for the Media Server from other servers when needed. This technote describes how to resolve this issue.
Issue:
Issue:
The ability to view key files in the system could pose as a possible security threat. For the Dialogic® IP Media Server, the default means of accessing the Web User Interface is via the following address:
https://IPMS_IP_ADDRESS/
After after getting past the security certificate, the user is able to type in the username and password and access the Web features built in to view settings and make changes as needed. This activity all goes through the default Apache web server port: 80.
However, if a user accesses port 8000, then it is possible to view certain files (especially ones owned by user "snow") by using a link with the format:
http://IPMS_IP_ADDRESS:8000/anypathatall?url=file:/location/file
https://IPMS_IP_ADDRESS/
After after getting past the security certificate, the user is able to type in the username and password and access the Web features built in to view settings and make changes as needed. This activity all goes through the default Apache web server port: 80.
However, if a user accesses port 8000, then it is possible to view certain files (especially ones owned by user "snow") by using a link with the format:
http://IPMS_IP_ADDRESS:8000/anypathatall?url=file:/location/file
Using this format, the user can access the /etc/passwd file:
http://IPMS_IP_ADDRESS:8000/anypathatall?url=file:/etc/passwd
In this case, the /etc/passwd file will be viewable within the browser. Not all files are viewable but some key files can be accessed, and thus there is a potential for this to pose a security threat. In the case of /etc/passwd the password content is encrypted but it does give the user some information, such as which users exist in the system.
For this scenario, modifying the Apache server script won't help because it isn't involved (that is on port 80). Instead, the best way is to modify the firewall script to deny these requests. This is shown below.
Fix / Solution:
Resolve this issue by setting the firewall script so that requests generated internally by fido to use port 8000 are accepted but requests generated externally to use port 8000 are rejected. This can be done via "iptables" which is a package available within Linux to generate rules for handling packets coming to and going from the server. In order to use this to resolve the issue, the following procedure should be run:
1. Attempt to access the Dialogic® IP Media Server using the link http://IPMS_IP_ADDRESS:8000/anypathatall?url=file:/etc/passwd to confirm that you can see the /etc/passwd file.
2. SSH into the IP Media Server with the maint login and change to super user ("sudo su" and provide password).
3. Run the following 3 commands one after another:
1. Attempt to access the Dialogic® IP Media Server using the link http://IPMS_IP_ADDRESS:8000/anypathatall?url=file:/etc/passwd to confirm that you can see the /etc/passwd file.
2. SSH into the IP Media Server with the maint login and change to super user ("sudo su" and provide password).
3. Run the following 3 commands one after another:
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 8000 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 8000 -j LOG
iptables -A INPUT -p tcp -s 0/0 --dport 8000 -j DROP
If the commands go through successfully, they will result in nothing being returned. If there is an error, you will see a message returned via stderr.
4. Re-attempt to access the /etc/passwd file via the link above and this time it will take a while and then the browser will return a message similar to 'Browser cannot display the webpage'.
5. If this goes through successfully, the 3 iptables lines above can be added to the /etc/sysconfig/iptables file so that it can be implemented on each boot up. To perform this step, it is recommended that the user should consult standard Linux documentation on iptables to determine exactly where to insert these commands.
Product List
Dialogic® IP Media Server
Glossary of Acronyms / Terms
IPMS - IP Media Server
IP - Internet Protocol
IP - Internet Protocol
Related Documentation
