An unauthenticated user can utilize information provided by the login page of the webui component to craft HTTP requests that will allow that user to create, read, update, and delete entries in the subscriber database. This includes the ability to add administrative users, add/modify/delete subscribers, and add/modify/delete profiles.
Properly crafted HTTP GET and DELETE requests with empty bodies will cause data to be returned or deleted on the following routes:
http://:3000/api/db/account
http://:3000/api/db/profile
http://:3000/api/db/subscriber
http://:3000/api/db/account/
http://:3000/api/db/profile/<profile_id>
http://:3000/api/db/subscriber/<imsi_number>
Properly crafted HTTP POST,PUT and PATCH requests with properly crafted bodies will cause data to be inserted or updated on the following routes:
http://:3000/api/db/account
http://:3000/api/db/profile
http://:3000/api/db/subscriber
http://:3000/api/db/account/
http://:3000/api/db/profile/<profile_id>
http://:3000/api/db/subscriber/<imsi_number>
This is caused by the configuration of express js in index.js. This should be updated to correctly validate the user making the API calls.
The text was updated successfully, but these errors were encountered:
pobk
added
the
Housekeeping:ToClose
Issues reviewed and closed. Old requests, issues which are not bug, feature or documentation request
label
Feb 17, 2023
This issue has been closed automatically due to lack of activity. This has been done to try and reduce the amount of noise. Please do not comment any further. The Open5GS Team may choose to re-open this issue if necessary.
An unauthenticated user can utilize information provided by the login page of the webui component to craft HTTP requests that will allow that user to create, read, update, and delete entries in the subscriber database. This includes the ability to add administrative users, add/modify/delete subscribers, and add/modify/delete profiles.
Properly crafted HTTP GET and DELETE requests with empty bodies will cause data to be returned or deleted on the following routes:
http://:3000/api/db/account
http://:3000/api/db/profile
http://:3000/api/db/subscriber
http://:3000/api/db/account/
http://:3000/api/db/profile/<profile_id>
http://:3000/api/db/subscriber/<imsi_number>
Properly crafted HTTP POST,PUT and PATCH requests with properly crafted bodies will cause data to be inserted or updated on the following routes:
http://:3000/api/db/account
http://:3000/api/db/profile
http://:3000/api/db/subscriber
http://:3000/api/db/account/
http://:3000/api/db/profile/<profile_id>
http://:3000/api/db/subscriber/<imsi_number>
This is caused by the configuration of express js in index.js. This should be updated to correctly validate the user making the API calls.
The text was updated successfully, but these errors were encountered: