Username Disclose at s3 Balsamiq

Weakness : Information Disclose
Scope: None
Severity: Low

• Username Disclose Though x-amz-meta-s3cmd-attrs header:
• Request :

GET /mockups-desktop/Balsamiq_Mockups_3.5.5.exe HTTP/1.1
Host: builds.balsamiq.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://balsamiq.com/download/
Cookie: <REDACTED>
Connection: close
Upgrade-Insecure-Requests: 1

• Response :

x-amz-meta-s3cmd-attrs:uid:113/gname:jenkins/uname:jenkins/gid:117/mode:33261/mtime:1476342989/atime:1476342988/md5:5c46a2e64b38ea6a652f60ae1f729fa2/ctime:1476342989

• Most Importantly Don’t store username in x-amz-meta-s3cmd-attrs header:

uname:jenkins

• Attacker’s Can Leverage Such Information While Attacking .
• x-amz-meta-s3cmd-attrs header stores information related to the computer and the user while syncing the information. Adding the parameter “ — no-preserve” avoids the storage of the username.

Use — no-preserve to prevent storing of these informations.

See s3cmd — help:

-p, — preserve Preserve filesystem attributes (mode, ownership, timestamps). Default for [sync] command.
— no-preserve Don’t store FS attributes