/uaa page is still available in a configured system

[richard-cox]

• the setup endpoints will error if the config is there, however user can still access /uaa
• need to disable route or redirect to /

[brittag]

I noticed that this issue is similar to #3598 and this one is older, so I'm adding a comment here.

My team noticed this issue in this issue backlog, and we believe this is important to fix for good "defense in depth" security practices - it's important to not expose any extra functionality that does not need to be exposed. Even if this current /uaa page returns an error if an attacker tries to input alternate configuration, it's still a serious potential vulnerability because another bug could come up that enabled them to submit real information and alter the system.

So we would encourage prioritizing this issue and considering any other place in Stratos where unnecessary functionality is exposed. Happy to provide further comments or ideas if helpful. Thank you!

(cc @nwmac since you self-assigned this recently)

[richard-cox]

Hi @brittag, thanks for commenting. We'll look into this in our next sprint (due to start next week)

[brittag]

Thank you @richard-cox, I appreciate it!