Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication Bypass in Webui #837

Open
rashley-iqt opened this issue Mar 10, 2021 · 0 comments
Open

Authentication Bypass in Webui #837

rashley-iqt opened this issue Mar 10, 2021 · 0 comments

Comments

@rashley-iqt
Copy link
Contributor

@rashley-iqt rashley-iqt commented Mar 10, 2021

An unauthenticated user can utilize information provided by the login page of the webui component to craft HTTP requests that will allow that user to create, read, update, and delete entries in the subscriber database. This includes the ability to add administrative users, add/modify/delete subscribers, and add/modify/delete profiles.

Properly crafted HTTP GET and DELETE requests with empty bodies will cause data to be returned or deleted on the following routes:
http://:3000/api/db/account
http://:3000/api/db/profile
http://:3000/api/db/subscriber
http://:3000/api/db/account/
http://:3000/api/db/profile/<profile_id>
http://:3000/api/db/subscriber/<imsi_number>

Properly crafted HTTP POST,PUT and PATCH requests with properly crafted bodies will cause data to be inserted or updated on the following routes:
http://:3000/api/db/account
http://:3000/api/db/profile
http://:3000/api/db/subscriber
http://:3000/api/db/account/
http://:3000/api/db/profile/<profile_id>
http://:3000/api/db/subscriber/<imsi_number>

This is caused by the configuration of express js in index.js. This should be updated to correctly validate the user making the API calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant