Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Navigation: Navbar shows extraneous items when unauthenticated #50341

Closed
jmatosgrafana opened this issue Jun 7, 2022 · 8 comments · Fixed by #53051
Closed

Navigation: Navbar shows extraneous items when unauthenticated #50341

jmatosgrafana opened this issue Jun 7, 2022 · 8 comments · Fixed by #53051
Assignees
Labels
area/dashboard/snapshot area/navigation help wanted prio/low It's a good idea, but not scheduled for any release

Comments

@jmatosgrafana
Copy link
Contributor

jmatosgrafana commented Jun 7, 2022

Viewing a snapshot (or any public route such as the 404 page) as an unauthenticated user shows extraneous items in the Navbar:

image

Search, Starred and Dashboards should not be visible as there's nothing an unauthenticated user can do with them. Similarly clicking the Grafana logo redirects to the base url which throws an Unauthorized error. This should probably redirect to /login.

Any fix needs to bear in mind anonymous auth 👍

Original report

If an unauthenticated user accesses the URL https://<grafana_instance>/dashboard/snapshot/{{constructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1 he is displayed a generic 404 "Page not found" error with a menu on the left side instead of being redirected to the login page.

Yet no data is being returned when interacting with the menu (and a temporary Unauthorized warning pops up).

This leads to the following security assessment: CVSS score 0.0

Hence this is not a security vulnerability. But as it is confusing for the end user it can be considered a UI bug.

@ashharrison90
Copy link
Contributor

@jmatosgrafana i can't quite repro this, i'm redirected to login following your steps 🤔

@ashharrison90 ashharrison90 added the needs more info Issue needs more information, like query results, dashboard or panel json, grafana version etc label Jun 7, 2022
@jmatosgrafana
Copy link
Contributor Author

@ashharrison90 I updated the URL (some unwanted encoding after copy paste). I can reproduce it with Chrome and Firefox

@BrotherOfJhonny
Copy link

I've been trying to demonstrate that the vulnerability exists, but I believe you're just focusing on the thought, "no data has been accessed", and at no time have I described it. The vulnerability lies in the following points:

If the user has installed plugins that add new features, these features will also be displayed in the menu. Even if the session does not return anything, the attacker will be able to see these features as they will be displayed in the side menus.
Another point is that with the use of a web proxy (Burp, OWASP ZAP, etc.) an attacker can access these menus and perform a reconnaissance of the endpoints, even if it does not return data because it is not a valid session, the attacker will have a view how calls are made and which endpoints.

This flaw could be categorized as A04:2021 Insecure_Design

Understand I'm trying to contribute to the security of the system.

@jmatosgrafana
Copy link
Contributor Author

Thank you @BrotherOfJhonny for the extra information.

We have cross-checked internally and reached the same conclusion from a security impact point of view: only panel plugins would be listed (not datasource plugins) and anyhow endpoints are public in open source software.

Nevertheless we are committed to consider any feedback that can improve our security posture: your reports enabled us to identify and track this security enhancement issue.

Do not hesitate to come back to us should we have missed something or if you have a specific exploitation scenario in mind.

@ashharrison90
Copy link
Contributor

hi @BrotherOfJhonny 👋

thanks for raising this!

If the user has installed plugins that add new features, these features will also be displayed in the menu.

can you share steps to reproduce this? opening this link in an incognito window i don't see any plugins listed in the navbar.

the attacker will have a view how calls are made and which endpoints.

i'm not sure if this is a big concern tbh... they could get a much better idea by reading the source code which is all open source 😅 dashboards/search/explore probably shouldn't be visible, but that seems like a pretty minor UI bug as opposed to any kind of security issue. @jmatosgrafana what do you think? 🤔

as mentioned in the other issue, the problem is that snapshot routes are exposed publicly. we surface the navbar to show the help/login links. redirecting to login is not an option as these routes are designed to be viewed when not logged in.

i don't want you to think we're not interested in tackling this, just trying to ascertain exactly what behaviour you think is a bug. hope that makes sense! 👍

@BrotherOfJhonny
Copy link

BrotherOfJhonny commented Jun 14, 2022

hello @ashharrison90

Thank you for your attention and feedback on the possibility mentioned.
I understand your point of view and I understand how the structure of the Graphana system is based. If for you this is a minor glitch in displaying UI items for displaying menu items, that's fine.
As I stated, my intention is to collaborate with the development of the system and with the community.
Safety is a state of mind if you feel safe then ok!

@ashharrison90
Copy link
Contributor

no problem, we're super grateful for any contributions/collaborations we get 😄

i'll rename this task to remove the extraneous items in the navbar (search/dashboards/explore) and we'll add it to our backlog to fix 👍

thanks again!

@ashharrison90 ashharrison90 changed the title Menu on left side displayed with 404 error page instead of login redirect Navigation: Navbar shows extraneous options when unauthenticated Jun 14, 2022
@ashharrison90 ashharrison90 changed the title Navigation: Navbar shows extraneous options when unauthenticated Navigation: Navbar shows extraneous items when unauthenticated Jun 14, 2022
@ashharrison90 ashharrison90 removed their assignment Jun 14, 2022
@TomsioncatiGraf
Copy link

@BrotherOfJhonny CISO here. +1, we really appreciate the report and for you working with us on these issues.

@natellium natellium added area/navigation help wanted prio/low It's a good idea, but not scheduled for any release and removed needs more info Issue needs more information, like query results, dashboard or panel json, grafana version etc labels Jun 17, 2022
@ashharrison90 ashharrison90 self-assigned this Aug 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/dashboard/snapshot area/navigation help wanted prio/low It's a good idea, but not scheduled for any release
Projects
Status: 🚀 Done
Development

Successfully merging a pull request may close this issue.

5 participants