Univention Bugzilla – Bug 54257
Login dialog / meta.json leaks default Administrator name
Last modified: 2022-01-07 15:27:17 CET
Created attachment 10880 [details] Screenshot Tooltip curl https://demo.univention.de/univention/meta.json | python -m json.tool | less The meta.json for unauthenticated users leaks information about the domain, e.g. the "Administrator" user name. It would probably be good to make it configurable that the information is shown (and document it in the security guide). It's used as tooltip for first-time users. I see the other information in meta.json for unauthenticated users as not problematic. The domain name can be received by a reverse DNS lookup.
Created attachment 10881 [details] Fresh installation fuzzing http /univention/portal from localhost portforwarding ssh -SW wfuzz -portforward ssh tunneling reverse -dictionary : https://github.com/daviddias/node-dirbuster/blob/master/lists/directory-list-2.3-medium.txt - machine with UCS 5.0: 10.200.88.2 Image : 4990 isanchez_ildefonso-univention-ldap running snapshot: virsh snapshot-list isanchez_ildefonso-univention-ldap Name Creation Time State ------------------------------------------------------------ 1639748851 2021-12-17 14:47:31 +0100 running
The rigth path is: /univention/meta wfuzz --hc 404 -w directory-list-2.3-medium.txt http://localhost:8989/univention/FUZZ ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://localhost:8989/univention/FUZZ Total requests: 220560 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000001: 302 9 L 26 W 305 Ch "# directory-list-2.3-medium.txt" 000000002: 302 9 L 26 W 305 Ch "#" 000000003: 302 9 L 26 W 305 Ch "# Copyright 2007 James Fisher" 000000004: 302 9 L 26 W 305 Ch "#" 000000005: 302 9 L 26 W 305 Ch "# This work is licensed under the Creative Commons" 000000006: 302 9 L 26 W 305 Ch "# Attribution-Share Alike 3.0 License. To v iew a copy of this" 000000007: 302 9 L 26 W 305 Ch "# license, visit http://creativecommons.org /licenses/by-sa/3.0/" 000000008: 302 9 L 26 W 305 Ch "# or send a letter to Creative Commons, 171 Second Street," 000000009: 302 9 L 26 W 305 Ch "# Suite 300, San Francisco, California, 941 05, USA." 000000010: 302 9 L 26 W 305 Ch "#" 000000011: 302 9 L 26 W 305 Ch "# Priority ordered case sensative list, whe re entries were found" 000000012: 302 9 L 26 W 305 Ch "# on atleast 2 different hosts" 000000013: 302 9 L 26 W 305 Ch "#" 000000014: 302 9 L 26 W 305 Ch "" 000000053: 301 9 L 28 W 328 Ch "login" 000000368: 301 9 L 28 W 329 Ch "portal" 000000441: 301 9 L 28 W 333 Ch "management" 000000740: 301 0 L 8 W 129 Ch "get" 000000935: 200 2 L 8 W 76 Ch "languages" 000000953: 301 9 L 28 W 325 Ch "js" 000001225: 303 0 L 8 W 112 Ch "logout" 000001725: 200 38 L 78 W 1366 Ch "meta" 000001898: 301 9 L 28 W 328 Ch "setup" 000002526: 422 0 L 17 W 199 Ch "auth" 000002919: 405 0 L 17 W 257 Ch "set" 000003940: 301 9 L 28 W 334 Ch "maintenance" 000045240: 302 9 L 26 W 305 Ch "" 000090739: 404 9 L 31 W 277 Ch "msg28660" ^C Finishing pending requests...
the url: https://demo.univention.de/univention/get/meta expose the same information for unauthenticated users