New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Navigation: Navbar shows extraneous items when unauthenticated #50341
Comments
|
@jmatosgrafana i can't quite repro this, i'm redirected to login following your steps |
|
@ashharrison90 I updated the URL (some unwanted encoding after copy paste). I can reproduce it with Chrome and Firefox |
|
I've been trying to demonstrate that the vulnerability exists, but I believe you're just focusing on the thought, "no data has been accessed", and at no time have I described it. The vulnerability lies in the following points: If the user has installed plugins that add new features, these features will also be displayed in the menu. Even if the session does not return anything, the attacker will be able to see these features as they will be displayed in the side menus. This flaw could be categorized as A04:2021 Insecure_Design Understand I'm trying to contribute to the security of the system. |
|
Thank you @BrotherOfJhonny for the extra information. We have cross-checked internally and reached the same conclusion from a security impact point of view: only panel plugins would be listed (not datasource plugins) and anyhow endpoints are public in open source software. Nevertheless we are committed to consider any feedback that can improve our security posture: your reports enabled us to identify and track this security enhancement issue. Do not hesitate to come back to us should we have missed something or if you have a specific exploitation scenario in mind. |
|
hi @BrotherOfJhonny thanks for raising this!
can you share steps to reproduce this? opening this link in an incognito window i don't see any plugins listed in the navbar.
i'm not sure if this is a big concern tbh... they could get a much better idea by reading the source code which is all open source as mentioned in the other issue, the problem is that snapshot routes are exposed publicly. we surface the navbar to show the help/login links. redirecting to login is not an option as these routes are designed to be viewed when not logged in. i don't want you to think we're not interested in tackling this, just trying to ascertain exactly what behaviour you think is a bug. hope that makes sense! |
|
hello @ashharrison90 Thank you for your attention and feedback on the possibility mentioned. |
|
no problem, we're super grateful for any contributions/collaborations we get i'll rename this task to remove the extraneous items in the navbar ( thanks again! |
|
@BrotherOfJhonny CISO here. +1, we really appreciate the report and for you working with us on these issues. |
Viewing a snapshot (or any public route such as the 404 page) as an unauthenticated user shows extraneous items in the Navbar:
Search,StarredandDashboardsshould not be visible as there's nothing an unauthenticated user can do with them. Similarly clicking the Grafana logo redirects to the base url which throws anUnauthorizederror. This should probably redirect to/login.Any fix needs to bear in mind anonymous auth👍
Original report
If an unauthenticated user accesses the URL
https://<grafana_instance>/dashboard/snapshot/{{constructor.constructor'/.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd?orgId=1he is displayed a generic 404 "Page not found" error with a menu on the left side instead of being redirected to the login page.Yet no data is being returned when interacting with the menu (and a temporary Unauthorized warning pops up).
This leads to the following security assessment: CVSS score 0.0
Hence this is not a security vulnerability. But as it is confusing for the end user it can be considered a UI bug.
The text was updated successfully, but these errors were encountered: