back to article What's worse than an annoying internet filter? How about one with a pre-auth remote-command execution hole and there's no patch?

Netsweeper's internet filter has a nasty security vulnerability that can be exploited to hijack the host server and tamper with lists of blocked websites. There are no known fixes right now. For those unfamiliar, Netsweeper makes software that monitors and blocks connections to undesirable websites and servers. It's aimed at …

  1. Snake Silver badge

    "Away from rogue internet users."

    In a seriously repressed society, one that uses Netsweeper as per the article's early references, one person's "rogue internet user" is another person's "freedom fighter".

    1. Anonymous Coward
      Anonymous Coward

      It has a lot of customers in the Middle East, where it's used to prevent access to content not meant for the local populace,...

      Would think these are the ones that should be hacked first.

  2. IT Hack

    No multi factor authentication? Pretty standard these days and if your system does not support these kinds of authentication you need to ask yourself how secure is this.

    Normally I would add the beer icon and make a quip. However it's about 07:30 and I refuse to let the lockdown turn me into a booze hound.

    1. Richard 12 Silver badge
      Mushroom

      It wouldn't make the slightest difference.

      A miscreant can just ask the server to run whatever arbitrary Python code they like.

      There's not even an upper limit on size or time, as the Python can download something more evil from the Internet and run that in the security context of the execution engine.

      Hopefully that's not root, but if it's got write access to the configuration files for the appliance, then it can happily redirect every single request to $evil_site and force-feed computer nasties to an entire country.

      So that's nice.

      It's eval() all over again.

      1. IT Hack

        Re: It wouldn't make the slightest difference.

        First you audit the software before implementing it. Not only what resources it requires but also how it 'does' security. So in terms of authentication ....network layer authentication to be the way to go coupled with MFA. Of course if your MFA is compromised then your on a hiding to nowhere.

        1. This post has been deleted by its author

          1. IT Hack

            Re: It wouldn't make the slightest difference.

            Hide into nowhere

            No...hiding to nowhere (also hiding to nothing) is correct. Hide into nowhere isn't even a phrase.

            1. Prst. V.Jeltz Silver badge
              Coat

              Re: It wouldn't make the slightest difference.

              ok , dont get up on your pedal stool , it was a bit of a damp squid after all.

              1. Sir Runcible Spoon Silver badge
                Coat

                Re: It wouldn't make the slightest difference.

                Don't you mean moist octopus? Plus your!=you're

                1. Jimmy2Cows Silver badge
                  Holmes

                  Re: your!=you're

                  If your* replying to Prst. V.Jeltz, given the overall tone of the comment that might be intentional...

                  *Yeah I went their**

                  **Went there twice

              2. Richard Jones 1
                FAIL

                Re: It wouldn't make the slightest difference.

                @ Prst. V.Jeltz, I think you mean a damp squib, a sqib is a sort of firework that should go bang, however, when damp it fails to do anything.

                1. Prst. V.Jeltz Silver badge

                  Re: It wouldn't make the slightest difference.

                  indeed, but you failed to correct me on pedestal

                  https://youtu.be/XnXKVY-_i2c?t=47

          2. Anon

            Re: It wouldn't make the slightest difference.

            You're meant to notice the "your".

        2. Anonymous Coward
          Anonymous Coward

          Re: It wouldn't make the slightest difference.

          ...if your MFA is compromised then you're on a hiding...

        3. IT Hack
          Coat

          Re: It wouldn't make the slightest difference.

          Ha yeah you're ...not your. I didn't even catch that.

          I note my critic has removed they're post!

          1. Sir Runcible Spoon Silver badge
            Headmaster

            Re: It wouldn't make the slightest difference.

            "I note my critic has removed they're post!"

            Please don't keep doing that, I'm at my whitsend with all these grammarly mistakes.

            1. IT Hack
              Megaphone

              Re: It wouldn't make the slightest difference.

              Sir Spoon.

              Bad punning is what I do. I am manager.

              1. A.P. Veening Silver badge

                Re: It wouldn't make the slightest difference.

                That deserves thrice a pun-ishment.

                Once for punning itself.

                Twice for bad punning (is there any good punning).

                Thrice for being a manager.

                1. IT Hack

                  Re: It wouldn't make the slightest difference.

                  A good pun is by nature bad.

                  Lets not get hung up on the manager thing. Even though I brought it up.

                  Dammit.

  3. redpawn Silver badge

    Only rogue users

    If you need this for your company you already view your users as rogue and might want a firewall between the filter and the users.

    1. tip pc Silver badge

      Re: Only rogue users

      Is it acceptable for staff to surf stuff at work that other staff or the media would find not suitable for doing at work?

      If it’s not acceptable you will need some kind of filter. Every company I have worked at (either government or Fortune 500 equivalents) has had filtering which I’ve sometimes managed. We all accept some level of email filtering as normal, in the uk government has mandated ISP’s block access to certain sites like the pirate bay etc so not a great deal of difference, ok uk isn’t blocking the same extensive list as other nations but blocking exists, just not to sites that most people go to.

      1. Peter2 Silver badge

        Re: Only rogue users

        Yep. Here, our web filtering list is relatively short. Basically covering things like porn, stopping people downloading illegal things over our network (no, you are NOT using our fiber line to download music/movies & viruses from dodgy sites...) and preventing people from downloading programs since they shouldn't be doing so unless they are IT, in which case they'll have an override password for the filter.

        If these sites weren't blocked then we'd have to simply dismiss staff for gross negligence if they were caught doing any of the things above. And that'd require us to keep a stasi level of intrusiveness into what our staff actually do on the internet.

        1. Anonymous Coward
          Anonymous Coward

          Re: Only rogue users

          Here our filter is fairly liberal, but it does block xkcd , which is annoying,

          I'm not in charge of what it block , or, more to the point, how it is deployed.

          I'm a dev now ,not i.t. admin, with normal user rights.

          So you know what i do if a want to see xkcd or other "entertainment" sites?

          I turn it off.

          Yep you heard , they dont channel all the traffic through the filter at the firewall or whatever , they rely on every workstation having certain boxes ticked in the internet settings.

          So i just untick.

          Granted its got harder since they policied out access to that menu ... I have to use a reg file now.

          1. IGotOut Silver badge
            Black Helicopters

            Re: Only rogue users

            Blocking xkcd? Are the afraid of you seeing the truth! Scared yiu may find out company secrets? Demand your rights! Say no to censorship!

            1. Mage Silver badge
              Black Helicopters

              Re: Blocking xkcd?

              Isn't Dilbert more subversive to cubicle culture?

        2. Roland6 Silver badge

          Re: Only rogue users

          >Yep. Here, our web filtering list is relatively short.

          It works well until you explore a little.

          A client had barred "gambling sites", it worked well until they decided to bid for funding from the National Lottery.

          On investigation, yes the filter did block the big name sites, but none of the smaller sites - neither did it have an exclusion list. Not naming names but the web filter was from a popular business provider (£) of web filtering services.

      2. Anonymous Coward
        Anonymous Coward

        Re: Only rogue users

        Is it acceptable for staff to surf stuff at work that other staff or the media would find not suitable for doing at work?

        If it’s not acceptable you will need some kind of filter.

        No.

        If it's not acceptable, you need a policy which says what is (and is not) acceptable. People caught violating the policy will be subject to company disciplinary process, just like any other breach of company policy.

        You cannot make a filter which can tell the difference between Youtube videos for work research and Youtube videos for wasting time.

        1. John Brown (no body) Silver badge

          Re: Only rogue users

          Yeah, but a filter is a one off cost and they you can forget about it. Or maybe a less than the cost of a wage monthly sub and you don't have the hassle of some meatbag being in charge of checking the logs and stuff. Then the liability is on the filter provider while the C-suite can all have plausible deniability if the shit hits the fan.

        2. J. Cook Silver badge

          Re: Only rogue users

          DING DING DING DING!!!!

          Internet filters are pointless without a defined policy (set by the company's management, disseminated by HR as part of the on-boarding process) and enforced by the IT group managing the internet filter.

    2. J. Cook Silver badge

      Re: Only rogue users

      [RedactedCo] uses it for two things: security (drive-by malware and phishing mostly, but overall security) and 'productivity enhancement' (i.e., keeping people from looking at social media sites (aka facebook, instagram, snapchat), pulling down content of no business value (i.e. porn, torrents, pirated software, etc.) or other things that the business deems necessary.

      Obvious bias: I'm the owner of [RedactedCo]'s content security applications, which is ironic because I despite censorship in all it's forms; I can see why the business needs an internet filter, though.

  4. Bronek Kozicki Silver badge
    Trollface

    Huh

    Security vulnerability in a web tool written in .php; must be a day ending with "y"

    1. Nick Ryan Silver badge

      Re: Huh

      FTFY: Security vulnerability in a web tool written in any scripting language; must be a day ending with "y".

      Seriously... clueless developers abound and it's staggering the awful quality of code that gets vomitted out often using "modern", "progressive" and other bullshit excuses as to why errors don't need to be handled, to excuse the barely mappable mesh of external dependencies pulled in at uncontrolled times and why making a complicated mess is somehow a good idea.

      As for repeating the same mistakes that have had solutions and well established best practices for well over 30 years? Never trust user input and only construct queries using proper parameters.

      1. IT Hack

        Re: Huh

        The issue is that vendors don't really do much in the way of securing code or coding securely. Is it the fault of the devs? Perhaps but certainly the vendor should be ensuring devs get the correct guidance. On the flip side are customers who will take any s/w willy nilly with no concept of acceptance testing and indeed the security posture of the software is absolutely part of that acceptance.

        1. Version 1.0 Silver badge

          Re: Huh

          Code testing for years has always been to "show that it works" - never that it can't be hacked.

          1. IT Hack

            Show it works

            Upvoted.

  5. KorndogDev
    WTF?

    The real problem is here:

    "remote access to the administration tool"

  6. Majack

    PHP says it all

    I saw those 3 letters, noded sagely, then decided to sure my hubris in the comments section.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020