Beyaz_şapka
Üye
- Mesajlar
- 3
The risk level of this vulnerability seen on the EBA website is high.
The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the intance metadata maintained by cloud service providers such as AWS,GCP and Azura
Data returned can include information that would allow an attacker to completely compromise the system.
This issue needs to be taken into consideration.
EBA web sitesinde görülen bu güvenlik açığının risk düzeyi yüksektir.
Bulut Meta Veri Saldırısı, AWS, GCP ve Azura gibi bulut hizmet sağlayıcıları tarafından tutulan örnek meta verilere erişmek için yanlış yapılandırılmış bir NGINX sunucusunu kötüye kullanmaya çalışır.
Döndürülen veriler, bir saldırganın sistemi tamamen tehlikeye atmasına olanak tanıyacak bilgileri içerebilir.
Bu konunun dikkate alınması gerekiyor.
<!doctype html>
<html lang="tr">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1, minimum-scale=1">
<base href="/"> <meta name="description"
content="Eğitim Bilişim Ağı öğretmenler ile öğrenciler arasında iletişim kurmak, eğitim hayatları boyunca kullanabilecekleri materyalleri sağlamak üzere kurulan eğlenceli bir portaldir.">
<meta name="apple-mobile-web-app-capable" content="yes" />
<meta name="author" content="MEB">
<meta name="keywords" content="MEB, YEĞİTEK, EBA, Eğitim Bilişim Ağı, sosyal eğitim platformu, eğitim, içerik, ">
<title>EBA, EBATV, Mesleki Gelişim, Eğitim Bilişim Ağı</title>
<!-- Favicon -->
<link rel="shortcut icon" href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/img/favicon.ico" />
<!-- Plugin CSS -->
<link href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/bootstrap-3.3.7/css/bootstrap.min.css"
rel="stylesheet">
<link href="https://cdnvideo.eba.gov.tr/eba-v4-...ebfont-master/css/materialdesignicons.min.css"
media="all" rel="stylesheet" type="text/css">
<link href="https://cdnvideo.eba.gov.tr/eba-v4-...ap-select-1.11.2/css/bootstrap-select.min.css"
media="all" rel="stylesheet" type="text/css">
<!-- OWL-v2 CSS -->
<link href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/owl-carousel-2/css/owl.carousel.min.css"
rel="stylesheet" type="text/css">
<link href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/owl-carousel-2/css/owl.theme.default.min.css"
rel="stylesheet" type="text/css">
<!-- Custom CSS -->
<link href="./assets/css/style2.css?v0809202145" rel="stylesheet" type="text/css">
<!-- using local <script src="./assets/json/calendar3.js" type="text/javascript"></script>-->
<script src="https://cdnvideo.eba.gov.tr/assets/json/calendar3.js" type="text/javascript"></script>
<script src="https://cdnpub.eba.gov.tr/bubizeuyar/js/plyr.min.js?1580258944"></script>
<script src="https://cdnpub.eba.gov.tr/bubizeuyar/js/hls.js?1580258944"></script>
<link rel="stylesheet" href="https://cdnpub.eba.gov.tr/bubizeuyar/css/skin1.css">
<script src="https://cdnpub.eba.gov.tr/bubizeuyar/js/flowplayer2.min.js"></script>
<link rel="stylesheet" href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/css/jquery-ui.min.css"/>
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/js/html5shiv.js" type="text/javascript"></script>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/js/respond.min.js" type="text/javascript"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="./assets/vendor/slick/slick.css">
<!-- Google Tag Manager -->
<script>(function (w, d, s, l, i) {
w[l] = w[l] || []; w[l].push({
'gtm.start':
new Date().getTime(), event: 'gtm.js'
}); var f = d.getElementsByTagName(s)[0],
j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src =
'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-TW5B7CT');</script>
<script>
function popupCenter(url, w, h) {
var left = (screen.width / 2) - (w / 2);
var top = (screen.height / 2) - (h / 2);
return window.open(url + encodeURIComponent(location.href), 'share-dialog', 'toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=no, resizable=no, copyhistory=no, width=' + w + ', height=' + h + ', top=' + top + ', left=' + left);
}
</script>
<link rel="stylesheet" href="styles.5ce8e3e09228533ce90c.css"></head>
<body class="new-portal new-portal-main">
<div id="infographic-load"></div>
<div class="container-fluid page-content-area">
<app-root>
<div class="loading">
<div class="lds-ellipsis">
<div></div>
<div></div>
<div></div>
<div></div>
<span></span>
</div>
</div>
</app-root>
</div>
<script>
var global = window;
</script>
<script src="./assets/vendor/jquery/jquery-3.2.1.min.js"></script>
<script
src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/bootstrap-select-1.11.2/js/bootstrap-select.min.js"></script>
<!-- Bootstrap Core JavaScript -->
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/bootstrap-3.3.7/js/bootstrap.min.js"></script>
<!-- OWL-v2 SCRIPT-->
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/owl-carousel-2/owl.carousel.min.js" defer
type="text/javascript"></script>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/johnpolacek-imagefill/js/imagesloaded.js"
defer></script>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/johnpolacek-imagefill/js/jquery-imagefill.js"
defer></script>
<script src="./assets/vendor/animsition/js/animsition.min.js"></script>
<script src="./assets/vendor/bootstrap/js/popper.js"></script>
<script src="./assets/vendor/bootstrap/js/bootstrap.min.js"></script>
<script src="./assets/vendor/slick/slick.min.js"></script>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/AOS/aos.js" defer></script>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-157287772-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag() { dataLayer.push(arguments); }
gtag('js', new Date());
gtag('config', 'UA-157287772-1');
$(window).on('load', function () {
var standalone = window.navigator.standalone,
userAgent = window.navigator.userAgent.toLowerCase(),
safari = /safari/.test(userAgent),
ios = /iphone|ipod|ipad/.test(userAgent),
iphone = /iphone/.test(userAgent),
android = /android/i.test(userAgent);
//console.log(standalone);
//console.log(navigator.userAgent.indexOf("EbaMobil"));
if (navigator.userAgent.indexOf("EbaMobil") != -1) {
//uygulamaysa
if (ios) {
$('.akadest').attr("href", "");
} else if (android) {
$('.akadest').attr("href", "https://www.eba.gov.tr/akademik-destek");
}
} else {
//uygulama değil
if (!standalone && ios) {
if (!standalone && safari) {
if (iphone) {
$('.akadest').attr("href", "https://apps.apple.com/app/id1477319289");
}
$(".mobile_alert").removeClass("hide");
//$('.mobile_qr').addClass("hide");
}
} else if (!standalone && android) {
$('.akadest').attr("href", "https://play.google.com/store/apps/details?id=tr.gov.eba.akademikdestek");
//return /EbaMobil\/[0-9\.]+$/.test(navigator.userAgent);
if (navigator.userAgent.indexOf("EbaMobil") == -1) {
$(".mobile_alert").removeClass("hide");
//$('.mobile_qr').addClass("hide");
}
}
}
});
function cookieControl() {
if (navigator.cookieEnabled === false) {
alert("Tarayıcınızın Cookie özelliği kapalı durumdadır. Lüften, giriş yapmak için Cookie özelliğini açınız.");
}
}
</script>
<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TW5B7CT" height="0" width="0"
style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<script type="text/javascript" src="runtime.30bddfb0309723204d3f.js"></script><script type="text/javascript" src="polyfills.58e07334d47942e62b5b.js"></script><script type="text/javascript" src="scripts.86558dcd35f4226f2777.js"></script><script type="text/javascript" src="vendor.86b4a0a2fb11041c5ad0.js"></script><script type="text/javascript" src="main.c80f621270bed634c213.js"></script></body>
</html>
The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the intance metadata maintained by cloud service providers such as AWS,GCP and Azura
Data returned can include information that would allow an attacker to completely compromise the system.
This issue needs to be taken into consideration.
EBA web sitesinde görülen bu güvenlik açığının risk düzeyi yüksektir.
Bulut Meta Veri Saldırısı, AWS, GCP ve Azura gibi bulut hizmet sağlayıcıları tarafından tutulan örnek meta verilere erişmek için yanlış yapılandırılmış bir NGINX sunucusunu kötüye kullanmaya çalışır.
Döndürülen veriler, bir saldırganın sistemi tamamen tehlikeye atmasına olanak tanıyacak bilgileri içerebilir.
Bu konunun dikkate alınması gerekiyor.
<!doctype html>
<html lang="tr">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1, minimum-scale=1">
<base href="/"> <meta name="description"
content="Eğitim Bilişim Ağı öğretmenler ile öğrenciler arasında iletişim kurmak, eğitim hayatları boyunca kullanabilecekleri materyalleri sağlamak üzere kurulan eğlenceli bir portaldir.">
<meta name="apple-mobile-web-app-capable" content="yes" />
<meta name="author" content="MEB">
<meta name="keywords" content="MEB, YEĞİTEK, EBA, Eğitim Bilişim Ağı, sosyal eğitim platformu, eğitim, içerik, ">
<title>EBA, EBATV, Mesleki Gelişim, Eğitim Bilişim Ağı</title>
<!-- Favicon -->
<link rel="shortcut icon" href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/img/favicon.ico" />
<!-- Plugin CSS -->
<link href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/bootstrap-3.3.7/css/bootstrap.min.css"
rel="stylesheet">
<link href="https://cdnvideo.eba.gov.tr/eba-v4-...ebfont-master/css/materialdesignicons.min.css"
media="all" rel="stylesheet" type="text/css">
<link href="https://cdnvideo.eba.gov.tr/eba-v4-...ap-select-1.11.2/css/bootstrap-select.min.css"
media="all" rel="stylesheet" type="text/css">
<!-- OWL-v2 CSS -->
<link href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/owl-carousel-2/css/owl.carousel.min.css"
rel="stylesheet" type="text/css">
<link href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/owl-carousel-2/css/owl.theme.default.min.css"
rel="stylesheet" type="text/css">
<!-- Custom CSS -->
<link href="./assets/css/style2.css?v0809202145" rel="stylesheet" type="text/css">
<!-- using local <script src="./assets/json/calendar3.js" type="text/javascript"></script>-->
<script src="https://cdnvideo.eba.gov.tr/assets/json/calendar3.js" type="text/javascript"></script>
<script src="https://cdnpub.eba.gov.tr/bubizeuyar/js/plyr.min.js?1580258944"></script>
<script src="https://cdnpub.eba.gov.tr/bubizeuyar/js/hls.js?1580258944"></script>
<link rel="stylesheet" href="https://cdnpub.eba.gov.tr/bubizeuyar/css/skin1.css">
<script src="https://cdnpub.eba.gov.tr/bubizeuyar/js/flowplayer2.min.js"></script>
<link rel="stylesheet" href="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/css/jquery-ui.min.css"/>
<!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/js/html5shiv.js" type="text/javascript"></script>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/js/respond.min.js" type="text/javascript"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="./assets/vendor/slick/slick.css">
<!-- Google Tag Manager -->
<script>(function (w, d, s, l, i) {
w[l] = w[l] || []; w[l].push({
'gtm.start':
new Date().getTime(), event: 'gtm.js'
}); var f = d.getElementsByTagName(s)[0],
j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src =
'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-TW5B7CT');</script>
<script>
function popupCenter(url, w, h) {
var left = (screen.width / 2) - (w / 2);
var top = (screen.height / 2) - (h / 2);
return window.open(url + encodeURIComponent(location.href), 'share-dialog', 'toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=no, resizable=no, copyhistory=no, width=' + w + ', height=' + h + ', top=' + top + ', left=' + left);
}
</script>
<link rel="stylesheet" href="styles.5ce8e3e09228533ce90c.css"></head>
<body class="new-portal new-portal-main">
<div id="infographic-load"></div>
<div class="container-fluid page-content-area">
<app-root>
<div class="loading">
<div class="lds-ellipsis">
<div></div>
<div></div>
<div></div>
<div></div>
<span></span>
</div>
</div>
</app-root>
</div>
<script>
var global = window;
</script>
<script src="./assets/vendor/jquery/jquery-3.2.1.min.js"></script>
<script
src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/bootstrap-select-1.11.2/js/bootstrap-select.min.js"></script>
<!-- Bootstrap Core JavaScript -->
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/bootstrap-3.3.7/js/bootstrap.min.js"></script>
<!-- OWL-v2 SCRIPT-->
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/owl-carousel-2/owl.carousel.min.js" defer
type="text/javascript"></script>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/johnpolacek-imagefill/js/imagesloaded.js"
defer></script>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/johnpolacek-imagefill/js/jquery-imagefill.js"
defer></script>
<script src="./assets/vendor/animsition/js/animsition.min.js"></script>
<script src="./assets/vendor/bootstrap/js/popper.js"></script>
<script src="./assets/vendor/bootstrap/js/bootstrap.min.js"></script>
<script src="./assets/vendor/slick/slick.min.js"></script>
<script src="https://cdnvideo.eba.gov.tr/eba-v4-arayuz/plugins/AOS/aos.js" defer></script>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-157287772-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag() { dataLayer.push(arguments); }
gtag('js', new Date());
gtag('config', 'UA-157287772-1');
$(window).on('load', function () {
var standalone = window.navigator.standalone,
userAgent = window.navigator.userAgent.toLowerCase(),
safari = /safari/.test(userAgent),
ios = /iphone|ipod|ipad/.test(userAgent),
iphone = /iphone/.test(userAgent),
android = /android/i.test(userAgent);
//console.log(standalone);
//console.log(navigator.userAgent.indexOf("EbaMobil"));
if (navigator.userAgent.indexOf("EbaMobil") != -1) {
//uygulamaysa
if (ios) {
$('.akadest').attr("href", "");
} else if (android) {
$('.akadest').attr("href", "https://www.eba.gov.tr/akademik-destek");
}
} else {
//uygulama değil
if (!standalone && ios) {
if (!standalone && safari) {
if (iphone) {
$('.akadest').attr("href", "https://apps.apple.com/app/id1477319289");
}
$(".mobile_alert").removeClass("hide");
//$('.mobile_qr').addClass("hide");
}
} else if (!standalone && android) {
$('.akadest').attr("href", "https://play.google.com/store/apps/details?id=tr.gov.eba.akademikdestek");
//return /EbaMobil\/[0-9\.]+$/.test(navigator.userAgent);
if (navigator.userAgent.indexOf("EbaMobil") == -1) {
$(".mobile_alert").removeClass("hide");
//$('.mobile_qr').addClass("hide");
}
}
}
});
function cookieControl() {
if (navigator.cookieEnabled === false) {
alert("Tarayıcınızın Cookie özelliği kapalı durumdadır. Lüften, giriş yapmak için Cookie özelliğini açınız.");
}
}
</script>
<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-TW5B7CT" height="0" width="0"
style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<script type="text/javascript" src="runtime.30bddfb0309723204d3f.js"></script><script type="text/javascript" src="polyfills.58e07334d47942e62b5b.js"></script><script type="text/javascript" src="scripts.86558dcd35f4226f2777.js"></script><script type="text/javascript" src="vendor.86b4a0a2fb11041c5ad0.js"></script><script type="text/javascript" src="main.c80f621270bed634c213.js"></script></body>
</html>
