Username Disclose at s3 Balsamiq

Weakness : Information Disclose
Scope: None
Severity: Low

  • Username Disclose Though x-amz-meta-s3cmd-attrs header:
  • Request :

GET /mockups-desktop/Balsamiq_Mockups_3.5.5.exe HTTP/1.1
Host: builds.balsamiq.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://balsamiq.com/download/
Cookie: <REDACTED>
Connection: close
Upgrade-Insecure-Requests: 1

  • Response :

x-amz-meta-s3cmd-attrs:uid:113/gname:jenkins/uname:jenkins/gid:117/mode:33261/mtime:1476342989/atime:1476342988/md5:5c46a2e64b38ea6a652f60ae1f729fa2/ctime:1476342989

  • Most Importantly Don’t store username in x-amz-meta-s3cmd-attrs header:

uname:jenkins

  • Attacker’s Can Leverage Such Information While Attacking .
  • x-amz-meta-s3cmd-attrs header stores information related to the computer and the user while syncing the information. Adding the parameter “ — no-preserve” avoids the storage of the username.

Use — no-preserve to prevent storing of these informations.

See s3cmd — help:

-p, — preserve Preserve filesystem attributes (mode, ownership, timestamps). Default for [sync] command.
— no-preserve Don’t store FS attributes

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store