New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing function level access control allows access to pages by unauthorised users #4407

Closed
pimpampeter opened this Issue Dec 8, 2017 · 1 comment

Comments

Projects
None yet
3 participants
@pimpampeter

pimpampeter commented Dec 8, 2017

Description

Some pages of the application can be accessed by unauthorised users.

Impact

Currently no sensitive data is available on these pages that can’t be access via another
method. However, access to these pages should be restricted.

The existence of this vulnerability can be verified by navigating to these URL’s

https://<hostname>/system/authentication/config
https://<hostname>/system/grokpatterns
https://<hostname>/system/logging

Graylog 2.2.0 on Redhat 7

@joschi

This comment has been minimized.

Contributor

joschi commented Dec 9, 2017

I can confirm that this is still an issue in Graylog 2.4.0-beta.3+a6b18a2.

@joschi joschi added this to the 2.4.0 milestone Dec 9, 2017

@kroepke kroepke self-assigned this Dec 13, 2017

kroepke added a commit that referenced this issue Dec 13, 2017

add authentication:read permission
disallow reading authentication provider config if the user doesn't have the necessary permission

#4407

@wafflebot wafflebot bot added the in progress label Dec 13, 2017

@wafflebot wafflebot bot removed the in progress label Dec 14, 2017

edmundoa added a commit that referenced this issue Dec 14, 2017

Don't render partial page content when missing permissions (#4416)
* add authentication:read permission

disallow reading authentication provider config if the user doesn't have the necessary permission

#4407

* do not render authentication page content if permissions are missing

actual data loading is prevented by the server, too

* disallow access to grokpatterns page

also hide create/upload buttons if the user doesn't have the necessary permissions

the backend already disallowed any actions

* hide logger page content if the user does not have the necessary permission

the backend already checks the necessary permissions before returning data

* don't display edit buttons when the user lacks permission to use them (only affected rendering)

don't check permissions twice: once on the page and once in the component

edmundoa added a commit that referenced this issue Dec 14, 2017

Don't render partial page content when missing permissions (#4416)
* add authentication:read permission

disallow reading authentication provider config if the user doesn't have the necessary permission

#4407

* do not render authentication page content if permissions are missing

actual data loading is prevented by the server, too

* disallow access to grokpatterns page

also hide create/upload buttons if the user doesn't have the necessary permissions

the backend already disallowed any actions

* hide logger page content if the user does not have the necessary permission

the backend already checks the necessary permissions before returning data

* don't display edit buttons when the user lacks permission to use them (only affected rendering)

don't check permissions twice: once on the page and once in the component

(cherry picked from commit ea4df1d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment