See page 27-29 of the report for additional info.
--------------------
Next, logged into Segue2 as an administrator and opened the administrative tab and saved it to the
system. We iterated all of the links to enumerate if a non-authenticated user could browse to any of the
administrative pages.
$ ./rip_links.pl -f index.php.html
http://x.x.x.x/index.php?module=auth&action=login
http://x.x.x.x//
http://x.x.x.x/index.php?module=language&action=change
http://x.x.x.x/index.php?module=home&action=welcome
http://x.x.x.x/index.php?module=portal&action=list
http://x.x.x.x/index.php?module=user&action=main
http://x.x.x.x/index.php?module=admin&action=main
http://x.x.x.x/index.php?module=agents&action=create_agent
http://x.x.x.x/index.php?module=agents&action=group_browse
http://x.x.x.x/index.php?module=agents&action=group_membership
http://x.x.x.x/index.php?module=agents&action=edit_agents
http://x.x.x.x/index.php?module=authorization&action=browse_authorizations
http://x.x.x.x/index.php?module=authorization&action=choose_agent
http://x.x.x.x/index.php?module=logs&action=browse
http://x.x.x.x/index.php?module=logs&action=usage
http://x.x.x.x/index.php?module=help&action=browse_help
http://x.x.x.x/index.php?module=window&action=changelog
We found that an unauthenticated or authenticated user had the ability to browse to certain administrative
pages.
- Agents & Groups
- Browse Logs
An authenticated user is base to browse to the following administrative pages:
- http://x.x.x.x/index.php?module=logs&action=usage
o This page provides the user with the ability to search logs based on usage of the
application.
- http://x.x.x.x/index.php?module=authorization&action=choose_agent
-- This page provides the user with the ability to view all users and groups within the
application as well as being able to determine what group a user belongs to.
- http://x.x.x.x/index.php?module=authorization&action=edit_authorizations&polyphony-
authorizations___expandedGroups=edu.middlebury.agents.users
-- This page provides the user with the ability to view all the possible actions on the Segue2
application. Also using this page, a user is able to determine which actions a specific user
has the ability to perform.
Example:
We opened the following page:
http://x.x.x.x/index.php?module=authorization&action=browse_authorizations&Polyphony-
authorizations___expanded_nodes=%21edu.middlebury.authorization.root%21edu.middlebury.agents.eve
ryone%21edu.middlebury.agents.all_agents
This page contained the following information:
Segue2 Qualifier Hierarchy - A Hierarchy to hold all Qualifiers known to Segue2.
All of Segue2 You are not authorized to view authorizations here.
Everyone You are not authorized to view authorizations here.
All Agents You are not authorized to view authorizations here.
user11 You are not authorized to view authorizations here.
Chapin, Alex - Historical You are not authorized to view authorizations here.
Adam Franco - Historical You are not authorized to view authorizations here.
John Administrator You are not authorized to view authorizations here.
admin1 You are not authorized to view authorizations here.
admin2 You are not authorized to view authorizations here.
admin3 You are not authorized to view authorizations here.
admin4 You are not authorized to view authorizations here.
---------------------
Found in Rapid7 security audit.
Logged In: YES
user_id=789554
Originator: YES
Fixed in Polyphony 1.4.0/Segue 2.0-rc-2.
Security: Polyphony Admin actions now require authorizations at the root of the authorization hierarchy to execute. This prevents unauthorized users from listing all users and asset ids in the system.