#6 Access to Administrate pages as a normal user

2.0
closed-fixed
nobody
6
2014-08-26
2008-08-06
Adam Franco
No

See page 27-29 of the report for additional info.

--------------------

Next, logged into Segue2 as an administrator and opened the administrative tab and saved it to the
system. We iterated all of the links to enumerate if a non-authenticated user could browse to any of the
administrative pages.

$ ./rip_links.pl -f index.php.html
http://x.x.x.x/index.php?module=auth&action=login
http://x.x.x.x//
http://x.x.x.x/index.php?module=language&action=change
http://x.x.x.x/index.php?module=home&action=welcome
http://x.x.x.x/index.php?module=portal&action=list
http://x.x.x.x/index.php?module=user&action=main
http://x.x.x.x/index.php?module=admin&action=main
http://x.x.x.x/index.php?module=agents&action=create_agent
http://x.x.x.x/index.php?module=agents&action=group_browse
http://x.x.x.x/index.php?module=agents&action=group_membership
http://x.x.x.x/index.php?module=agents&action=edit_agents
http://x.x.x.x/index.php?module=authorization&action=browse_authorizations
http://x.x.x.x/index.php?module=authorization&action=choose_agent
http://x.x.x.x/index.php?module=logs&action=browse
http://x.x.x.x/index.php?module=logs&action=usage
http://x.x.x.x/index.php?module=help&action=browse_help
http://x.x.x.x/index.php?module=window&action=changelog

We found that an unauthenticated or authenticated user had the ability to browse to certain administrative
pages.

- Agents & Groups
- Browse Logs

An authenticated user is base to browse to the following administrative pages:

- http://x.x.x.x/index.php?module=logs&action=usage
o This page provides the user with the ability to search logs based on usage of the
application.
- http://x.x.x.x/index.php?module=authorization&action=choose_agent
-- This page provides the user with the ability to view all users and groups within the
application as well as being able to determine what group a user belongs to.
- http://x.x.x.x/index.php?module=authorization&action=edit_authorizations&polyphony-
authorizations___expandedGroups=edu.middlebury.agents.users
-- This page provides the user with the ability to view all the possible actions on the Segue2
application. Also using this page, a user is able to determine which actions a specific user
has the ability to perform.

Example:

We opened the following page:
http://x.x.x.x/index.php?module=authorization&action=browse_authorizations&Polyphony-
authorizations___expanded_nodes=%21edu.middlebury.authorization.root%21edu.middlebury.agents.eve
ryone%21edu.middlebury.agents.all_agents

This page contained the following information:
Segue2 Qualifier Hierarchy - A Hierarchy to hold all Qualifiers known to Segue2.
All of Segue2 You are not authorized to view authorizations here.
Everyone You are not authorized to view authorizations here.
All Agents You are not authorized to view authorizations here.
user11 You are not authorized to view authorizations here.
Chapin, Alex - Historical You are not authorized to view authorizations here.
Adam Franco - Historical You are not authorized to view authorizations here.
John Administrator You are not authorized to view authorizations here.
admin1 You are not authorized to view authorizations here.
admin2 You are not authorized to view authorizations here.
admin3 You are not authorized to view authorizations here.
admin4 You are not authorized to view authorizations here.

---------------------
Found in Rapid7 security audit.

Discussion

  • Adam Franco

    Adam Franco - 2008-08-14
    • status: open --> closed-fixed
     
  • Adam Franco

    Adam Franco - 2008-08-14

    Logged In: YES
    user_id=789554
    Originator: YES

    Fixed in Polyphony 1.4.0/Segue 2.0-rc-2.

    Security: Polyphony Admin actions now require authorizations at the root of the authorization hierarchy to execute. This prevents unauthorized users from listing all users and asset ids in the system.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks