New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

user detail leak via api request #5068

Closed
jalogisch opened this Issue Sep 5, 2018 · 2 comments

Comments

Projects
None yet
4 participants
@jalogisch
Member

jalogisch commented Sep 5, 2018

Expected Behavior

Only Administrative Users should be able to retreive the user Information of other users from the API.

Current Behavior

When the username is known (or guessed) every user can get details about every user.

# http -a hulle GET https://nuci3.local.lan/graylog/api/users/Nobody
http: password for hulle@nuci3.local.lan:
HTTP/1.1 200 OK

{
    "client_address": null,
    "email": "imnobody@graylog.com",
    "external": false,
    "full_name": "I. M. Nobody",
    "id": "5af475b28c4d850001c17cb2",
    "last_activity": null,
    "permissions": [],
    "preferences": {
        "enableSmartSearch": true,
        "updateUnfocussed": false
    },
    "read_only": false,
    "roles": [
        "Reader",
        "Default - No Access"
    ],
    "session_active": false,
    "session_timeout_ms": 300000,
    "startpage": null,
    "timezone": "America/Chicago",
    "username": "Nobody"
}

Possible Solution

Make the user details only available for the user themself and the Admin.

Context

When running with multiple Users that are not known to each other on the same Graylog Setup, every User would be able to retreive Information about other users. Including what they can access.

This is worse from a company perspective revealing their customer details to other customers, but in addition this could be used as initial informations for further attacks against Graylog.

Your Environment

  • Graylog Version: 2.4.5
@eduault

This comment has been minimized.

eduault commented Sep 7, 2018

The DeLorean will be useful to fix this bug :
image

@bernd bernd added this to the 2.5.0 milestone Oct 8, 2018

@bernd bernd self-assigned this Nov 22, 2018

@bernd bernd closed this in #5079 Nov 23, 2018

@bernd

This comment has been minimized.

Member

bernd commented Nov 23, 2018

This bug has been fixed in #5079 and the fix will be in the upcoming 2.5 release.

bernd added a commit that referenced this issue Nov 23, 2018

edmundoa added a commit that referenced this issue Nov 23, 2018

Limit user details to self and admins in API (#5079) (#5308)
* Limit user details to self and admins in API (#5079)

Fixes #5068

(cherry picked from commit 6d80b74)

* Fix missing import
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment