First Last Prev Next    This bug is not in your last search results.
Bug 54256 - Portal: information disclosure?
Portal: information disclosure?
Status: NEW
Product: UCS
Classification: Unclassified
Component: Portal
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-17 12:17 CET by Florian Best
Modified: 2021-12-17 15:28 CET (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

Attachments
Fresh installation fuzzing http /univention/portal from localhost portforwarding ssh (368.12 KB, image/png)
2021-12-17 15:28 CET, Ildefonso González Sánchez 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2021-12-17 12:17:36 CET 
curl https://demo.univention.de/univention/portal/portal.json | python -m json.tool | less

The portal.json leak information about the LDAP structure for unauthenticated users.

e.g. the property "allowedGroups" reveals group names
the property "dn" leaks information about the LDAP container structure.

Question: is this problematic?
Question: do we need to expose the allowedGroups in the frontend - I think everything regarding this is handled in the backend - so we can remove it.
Comment 1 Ildefonso González Sánchez univentionstaff 2021-12-17 15:28:35 CET 
Created attachment 10882 [details]
Fresh installation fuzzing http  /univention/portal from localhost portforwarding ssh

-SW wfuzz

-portforward ssh tunneling reverse

-dictionary : https://github.com/daviddias/node-dirbuster/blob/master/lists/directory-list-2.3-medium.txt

- machine with UCS 5.0: 
10.200.88.2
Image :  4990  isanchez_ildefonso-univention-ldap running
snapshot: virsh snapshot-list isanchez_ildefonso-univention-ldap
 Name                 Creation Time             State
------------------------------------------------------------
 1639748851           2021-12-17 14:47:31 +0100 running
First Last Prev Next    This bug is not in your last search results.