The social networking service Facebook has awarded the man $33,500 for spotting an XML external entities vulnerability, that if left unchecked, could have potentially allowed someone to read arbitrary files on the webserver.
According to Facebook Bug Bounty program, Facebook got the bug report on November they are investigated on this issue. Finally they are able to reproduce the issue easily. After running the proof of concept to verify the issue they filed an urgent task and triggering notifications to their employees.
Reginaldo Silva explains in the post linked below that the issue was an XML external entities vulnerability on Facebook link which could have allowed someone to read arbitrary files on the webserver.
Facebook developers Immediately implemented a fix by flipping a flag to cause our XML parsing library to disallow the resolution of external entities. This initial fix was simple enough to fit on one line: libxml_disable_entity_loader(true);.
Previously, Facebook had awarded a security researcher $20,000 for finding a bug that allowed a user to take over any other account on the website minus any human interaction.
After patching the issue, they are decide how to get the fix out to all of our webservers. Facebook Engineers are used a tool called Takedown for this sort of task because it runs at a low level, before much of the request processing happens.
It allows engineers to define rules to block, log and modify requests. Takedown helped us ensure this line of code ran before anything else for any requests hitting /openid/receiver.php. This was our immediate short term fix.
Facebook engineers concluded that libxml_disable_entity_loader(true) was indeed the correct final fix. Because they want to leave the code in a better state than we found it, writing the long term fix is often the step in the lifecycle of a bug that takes the longest.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
According to Facebook Bug Bounty program, Facebook got the bug report on November they are investigated on this issue. Finally they are able to reproduce the issue easily. After running the proof of concept to verify the issue they filed an urgent task and triggering notifications to their employees.Reginaldo Silva explains in the post linked below that the issue was an XML external entities vulnerability on Facebook link which could have allowed someone to read arbitrary files on the webserver.
Facebook developers Immediately implemented a fix by flipping a flag to cause our XML parsing library to disallow the resolution of external entities. This initial fix was simple enough to fit on one line: libxml_disable_entity_loader(true);.
Previously, Facebook had awarded a security researcher $20,000 for finding a bug that allowed a user to take over any other account on the website minus any human interaction.
After patching the issue, they are decide how to get the fix out to all of our webservers. Facebook Engineers are used a tool called Takedown for this sort of task because it runs at a low level, before much of the request processing happens.
It allows engineers to define rules to block, log and modify requests. Takedown helped us ensure this line of code ran before anything else for any requests hitting /openid/receiver.php. This was our immediate short term fix.
Facebook engineers concluded that libxml_disable_entity_loader(true) was indeed the correct final fix. Because they want to leave the code in a better state than we found it, writing the long term fix is often the step in the lifecycle of a bug that takes the longest.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
No comments:
Post a Comment