/graylog2-server

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

user detail leak via api request #5068

Closed
jalogisch opened this Issue Sep 5, 2018 · 2 comments

Comments

Assignees

@bernd bernd

Labels
bug security triaged
Projects
None yet
Milestone
  2.5.0
4 participants
@jalogisch @eduault @bernd @dennisoelkers
@jalogisch
Member

jalogisch commented Sep 5, 2018

Expected Behavior

Only Administrative Users should be able to retreive the user Information of other users from the API.

Current Behavior

When the username is known (or guessed) every user can get details about every user.

# http -a hulle GET https://nuci3.local.lan/graylog/api/users/Nobody
http: password for hulle@nuci3.local.lan:
HTTP/1.1 200 OK

{
    "client_address": null,
    "email": "imnobody@graylog.com",
    "external": false,
    "full_name": "I. M. Nobody",
    "id": "5af475b28c4d850001c17cb2",
    "last_activity": null,
    "permissions": [],
    "preferences": {
        "enableSmartSearch": true,
        "updateUnfocussed": false
    },
    "read_only": false,
    "roles": [
        "Reader",
        "Default - No Access"
    ],
    "session_active": false,
    "session_timeout_ms": 300000,
    "startpage": null,
    "timezone": "America/Chicago",
    "username": "Nobody"
}

Possible Solution

Make the user details only available for the user themself and the Admin.

Context

When running with multiple Users that are not known to each other on the same Graylog Setup, every User would be able to retreive Information about other users. Including what they can access.

This is worse from a company perspective revealing their customer details to other customers, but in addition this could be used as initial informations for further attacks against Graylog.

Your Environment

  • Graylog Version: 2.4.5

@dennisoelkers dennisoelkers added the security label Sep 5, 2018

@radykal-com radykal-com referenced this issue Sep 6, 2018

Merged

Limit user details to self and admins in API #5079

4 of 9 tasks complete
@eduault

This comment has been minimized.

Sign in to view

eduault commented Sep 7, 2018
edited

The DeLorean will be useful to fix this bug :
image

@jalogisch jalogisch added bug triaged labels Sep 10, 2018

@bernd bernd added this to the 2.5.0 milestone Oct 8, 2018

@bernd bernd self-assigned this Nov 22, 2018

@bernd bernd closed this in #5079 Nov 23, 2018

bernd added a commit that referenced this issue Nov 23, 2018

@radykal-com @bernd
Limit user details to self and admins in API (#5079) 
Fixes #5068
6d80b74
@bernd

This comment has been minimized.

Sign in to view
Member

bernd commented Nov 23, 2018

This bug has been fixed in #5079 and the fix will be in the upcoming 2.5 release.

bernd added a commit that referenced this issue Nov 23, 2018

@radykal-com @bernd
Limit user details to self and admins in API (#5079) 
Fixes #5068

(cherry picked from commit 6d80b74)
Loading status checks…
9794d77

@bernd bernd referenced this issue Nov 23, 2018

Merged

Limit user details to self and admins in API (#5079) #5308

edmundoa added a commit that referenced this issue Nov 23, 2018

@bernd @edmundoa
Limit user details to self and admins in API (#5079) (#5308) 
* Limit user details to self and admins in API (#5079)

Fixes #5068

(cherry picked from commit 6d80b74)

* Fix missing import
754b0d5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment