• Aucun résultat trouvé

Sensitive information disclosure in the RESTX framework Security advisory

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Sensitive information disclosure in the RESTX framework Security advisory"

Copied!
4
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Sensitive information disclosure in the RESTX framework

Security advisory

09/03/2016

Julien Legras

www.synacktiv.com 5 rue Sextius Michel 75015 Paris

(2)

Vulnerability description

The RESTX framework

RESTX is a Java REST framework. It provides an easy way to build RESTful API with methods annotation. An administration web console is also available. It allows the administrator to read the API documentation and specifications and to manage the RESTX configuration.

The administration web console is an AngularJS application running inside the web browser. It requests REST administration endpoints to populate the pages.

The issues

Synacktiv has identified vulnerabilities in the security mechanism that protects sensitive resources such as the configuration content. When a user tries to request a REST endpoint that does not exist, the server returns the entire routes list:

From this list, Synacktiv tried to access /@/ui/config/ but the application redirects the user to the administration login page.

However, this redirection is actually done by the AngularJS application, in the web browser. This application requests 2 sensitives resources:

/@/pages : returns 403

/@/config/elements : returns 200 and its content if a valid session cookie is provided (but admin role not needed)

As an application needs to have a valid session cookie in order to perform REST requests, it means that anyone who can steal the session cookie can access the server configuration including:

• administrator password,

• database credentials,

• database IP address,

• etc.

The vulnerability can be exploited in the first sample application restx-samples-hello with the user user1 that is allowed with the role hello, specific to this sample application and not related to the admin role:

2/4

(3)

Almost all administration modules resources are affected by this vulnerability.

Affected versions

The versions up to 0.34 of the following modules are vulnerable:

restx-admin (/@/config/elements)

restx-log-admin (/@/ui/log)

restx-stats-admin (/@/restx-stats)

restx-monitor-admin (/@/sessionStats, /@/metrics, /@/health-checks, /@/thread-dump)

restx-factory-admin (/@/warehouse, /@/factory)

Mitigation

The RESTX version 0.34.1 fixes the issues.

3/4

(4)

Timeline

Date Action

15/01/2016 Advisory sent to the main developer, but no answer 31/01/2016 Second e-mail sent to other developers of the project 31/01/2016 Acknowledgment from the team

08/02/2016 Fix pushed on the github repository 09/03/2016 Advisory published by Synacktiv

4/4

Références

Télécharger maintenant ( PDF - 4 Page - 173.75 KB )

Documents relatifs

The Curse of Knowledge: Having Access to Customer Information Can Reduce Monopoly Profit

We extend the standard third-degree price discrimination model by considering an in…nite-horizon model in which a monopolist gradually learns to identify consumers and gradually

Access or Re-use of PSI? A Cookie if You Get it Right!

Essentially, the obligation of public sector bodies to make PSI available to the citizens stems from national and international regulations on access to

Transience/recurrence and the speed of a one-dimensional random walk in a “have your cookie and eat it” environment

The ith time the process reaches the site x, the process eats the ith cookie at site x , thereby empowering it to jump to the right with probability ω(x, i) and to the left

Partenaire Nom du cookie DOMAIN (Fournisseur) Durée de vie du cookie Catégorie et description du cookie

Il contient un identifiant unique utilisé par Google Analytics pour distinguer les différents utilisateurs et calculer différentes métriques analytiques (nombre de visiteurs,

The decay law can have an irregular character

Within a well-known decay model describing a particle confined initially within a spherical δ po- tential shell, we consider the situation when the undecayed state has an unusual

THE SINGULARITY SPECTRUM OF THE INVERSE OF COOKIE-CUTTERS

Such a measure is discrete (it is con- stituted only by Dirac masses), it satisfies a multifractal formalism, and its L q -spectrum possesses one point of non differentiability1.

Journey to the center of the cookie ecosystem: Unraveling actors' roles and relationships

We can further break down this role into three categories: own senders send their own cookies (i.e., those created by the same node, like a and b), in-chain senders send cookies

Can I opt out yet? GDPR and the global illusion of cookie control

UI elements that preclude browsing until they are dismissed. The categories for content are: a) Anyway for notices that just inform users that they will be tracked; b) AutoAccept