Skip to content
Permalink
Browse files Browse the repository at this point in the history
Security Vuln: Check API access to entity details
Access through the /api/user/<id> and /api/group/<id> routes were not
properly being checked. This meant that anyone could easily enumerate
users and groups.

User information disclosed would include which SRP groups a user is
in, whether they are an admin, which permissions a user has been
granted, as well as the details for every SRP request that user has
submitted, including the character name for the loss. The authentication
source (Test Auth, EVE SSO, etc) for the user would also be disclosed
through the requests, along with the ID associated with that
authentication method.

Group information disclosed would include the group name, permissions
granted within that group, as well as all members of the group.

v0.12.2 is going to be released shortly addressing this vulnerability.
A large thank you to the individual who brought this to my attention.
  • Loading branch information
paxswill committed Oct 13, 2020
1 parent edf0307 commit 9e03f68
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions src/evesrp/views/api.py
Expand Up @@ -57,7 +57,11 @@ def list_entities():


@api.route('/user/<int:user_id>/')
@login_required
def user_detail(user_id):
if not current_user.admin and not \
current_user.has_permission(PermissionType.admin):
abort(403)
user = User.query.get_or_404(user_id)
# Set up divisions
submit = map(lambda p: p.division,
Expand All @@ -84,7 +88,11 @@ def user_detail(user_id):


@api.route('/group/<int:group_id>/')
@login_required
def group_detail(group_id):
if not current_user.admin and not \
current_user.has_permission(PermissionType.admin):
abort(403)
group = Group.query.get_or_404(group_id)
submit = map(lambda p: p.division,
filter(lambda p: p.permission == PermissionType.submit,
Expand Down

0 comments on commit 9e03f68

Please sign in to comment.