Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication Bypass in Webui #837

Closed
rashley-iqt opened this issue Mar 10, 2021 · 1 comment
Closed

Authentication Bypass in Webui #837

rashley-iqt opened this issue Mar 10, 2021 · 1 comment
Labels
Housekeeping:ToClose Issues reviewed and closed. Old requests, issues which are not bug, feature or documentation request

Comments

@rashley-iqt
Copy link
Contributor

An unauthenticated user can utilize information provided by the login page of the webui component to craft HTTP requests that will allow that user to create, read, update, and delete entries in the subscriber database. This includes the ability to add administrative users, add/modify/delete subscribers, and add/modify/delete profiles.

Properly crafted HTTP GET and DELETE requests with empty bodies will cause data to be returned or deleted on the following routes:
http://:3000/api/db/account
http://:3000/api/db/profile
http://:3000/api/db/subscriber
http://:3000/api/db/account/
http://:3000/api/db/profile/<profile_id>
http://:3000/api/db/subscriber/<imsi_number>

Properly crafted HTTP POST,PUT and PATCH requests with properly crafted bodies will cause data to be inserted or updated on the following routes:
http://:3000/api/db/account
http://:3000/api/db/profile
http://:3000/api/db/subscriber
http://:3000/api/db/account/
http://:3000/api/db/profile/<profile_id>
http://:3000/api/db/subscriber/<imsi_number>

This is caused by the configuration of express js in index.js. This should be updated to correctly validate the user making the API calls.

@pobk pobk added the Housekeeping:ToClose Issues reviewed and closed. Old requests, issues which are not bug, feature or documentation request label Feb 17, 2023
@github-actions
Copy link

This issue has been closed automatically due to lack of activity. This has been done to try and reduce the amount of noise. Please do not comment any further. The Open5GS Team may choose to re-open this issue if necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Housekeeping:ToClose Issues reviewed and closed. Old requests, issues which are not bug, feature or documentation request
Projects
None yet
Development

No branches or pull requests

2 participants