Miva, Miva Script, Miva Empresa, Miva Mia amd Miva Merchant are registered trademarks of the Miva Corporation 		 
Ivo Truxa - truXoft control systems: advanced programming and custom IT solutions home / about / webdesign / Miva / automation / contact

http://mivo.truxoft.com
MIVO!
miva beyond limits
invert colors ] 
M I V O ! 
ABOUT 
WHAT'S NEW 
SECURITY 
RESOURCES 
MERCHANT 
HOSTING 
disclaimer 
  

MIVA®  SECURITY: Miva MiaTM Security Risks

by Ivo Truxa, 03/07/2000

Experienced Miva developers probably know that with installing Miva Mia they open doors for intruders, and they probably already made some counter-measures.

However, because of the simplicity of the Miva script, there are many newcomers who have very few experience with the Web and its security and maybe not all of them realize the potential risks of installing Miva Mia or any other server software on their systems.


Where are the risks?

In the moment you have installed Miva Mia, your PC becomes a regular web server and its Miva directory is accessible via TCP/IP to anybody on your LAN, and - worse - as soon as you are connected to the Internet, to anybody worldwide.


Where is the problem?

You tell: "No problem, in this way I serve just the scripts that I serve on my regular web server anyway. Miva does not show the sources - there is no risk!"
Well, this is only a partial truth. Because you use Mia to develop scripts, you have very probably also several versions of your scripts, scripts in progress, buggy scripts, different test and evaluation scripts and tools, maybe some third party scripts too. It means a lot of potential places where an intruder can exploit your system.


What can happen?

Even if it looks like an intruder could just view documents as if they are served by your real webserver, there are much more possibilities:

  • Your script directory can be scanned for known freeware or commercial scripts with known bugs
  • Intruder usually cannot reveal your directory structure in a simple manner, but he can scan your Miva directory for guessed file names.
  • Not only Miva-scripts and HTML files can be grabbed, but also all your files with remarks and comments, documents, backups, temporary or any other files in your Miva script directory.
  • Some virus scanners, FTP and other programs create standard files in your directories from those all file names can be revealed.

How could an intruder guess my file names?

He can try some often used file names (index.*, welcome.*, default,*, admin.*,...) or get some ideas from your website. He can use a dictionary or generate names by an algorithm. Such a scanner can be made easily even with Miva.

Because Mia does not log user accesses, an intruder can scan your PC for a long time without being noticed. He does not need to transfer a lot of data for the scanning.

In the moment a vulnerable Miva script or other file was found, the intruder gets much more power on your system:

  • Files can be renamed, moved, overwritten or deleted. It includes your data directory too.
  • Unwanted files can be uploaded to your script and data directories. It includes Trojans, viruses, remote control programs like Back Orifice, compromising material or whatever else.
  • Any file from your Miva directories can be downloaded
  • Your Miva Mia or entire system can be shut down with the effect of lost data in opened documents.
  • E-mail can be send and received through your PC
  • If you have other server applications like FTP or Telnet running on your PC, they can be accessed with your own privileges.
  • With Mia prior 3.63 an intruder can view your sources and access files all over your disk, out of Miva directories, without any hassle!

What more?

The standard Mia package (I have checked it up to the version 3.63) installs some template scripts. I never used them but in a short check (in a single search of about 30 seconds) I discovered three serious security holes that enable everything mentioned in the previous paragraph. There are for sure some more. It means that if you have installed Mia without removing or at least renaming the templates, you can be under control within few seconds, whenever you connect to Internet.

For evident reasons I will not publish any details about the security holes, before they are removed from the installtion kit and before users have time to fix their security. Please help to dispatch this information among the Miva community!


What version of Miva Mia is vulnerable?

In the time I wrote the article - all of them, up to 3.63. Situation in versions prior 3.63 is much more serious, just have a look at the change log (link follows) and you will see why!
http://www.miva.com/docs/changelogs/mia_changelog.html


What to do?

  • The best would be if Mia was configurable to connect to selected clients (IPs) only. Unfortunately it is not the case at this time.
  • You can shut down Mia each time you connect to Internet, but it is rather uncomfortable.
  • You can install a hardware or software firewall on your PC or LAN.

Nothing else?

  • Non-standard ports, directory locations or file names help few, but lets you still fully vulnerable.
  • Changing file permissions (NT) does not help at all.
  • Using proxy server of your ISP helps only partially - your real IP can be revealed in many ways.
  • Some firewalls, if not properly configured, still let your default Mia port 80 open!

I do not care. I have nothing to loose!

Wrong! Maybe you have no important files in your Miva directory and you do not care if somebody grabs them. Maybe you do not care that somebody can 'nuke' you and slow down or shut down your PC. Maybe you have no important or sensitive database in your data directory or anywhere else on your PC. Still, you should care!

Why? Once a malicious hacker gets access to your PC, he can use it for attacks to more important, sensitive targets like routers, name servers, providers, merchants, banks, military or governmental sites, etc. Your PC can be used to hide the real identity of the attacker or to be used as a part of a massive distributed attack against another site. In such a case, respective authorities could confiscate your PC for a long investigation.


What is a firewall?

Have a look here for the reply: http://www.whatis.com/firewall.htm

I do not want to advertize any product here. It would not be responsible, because I never tested more of them. Please have a look at the following links for some tips:
http://navasgrp.home.att.net/tech/cable_dsl.htm#Security
http://www.doshelp.com/
Or use a search engine to find much more.

Take care!


top
   

Miva and some other terms used on this page are registerd trademarks of the Miva Corporation
copyright  truXoft  © 1997-2008