syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrea Patricelli (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SYNCOPE-1428) APIs to read by key return 404 instead of 401 for not authenticated calls
Date Fri, 25 Jan 2019 14:43:00 GMT

     [ https://issues.apache.org/jira/browse/SYNCOPE-1428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andrea Patricelli updated SYNCOPE-1428:
---------------------------------------
    Description: 
Calling the read API on Users, Groups or AnyObjects like the following example returns 404
in case of object not found even with not authenticated calls. This could be exploited to
"guess" usernames or (in general) keys of objects.

Request:

 
{code:java}
curl -X GET "http://[mysyncopedomain]:[mysyncopeport]/syncope/rest/users/notexistingkey" -H
"accept: */*" -H "X-Syncope-Domain: Master"{code}
Response:
{code:java}
{"status":404,"type":"NotFound","elements":["NotFoundException: User, Group or Any Object
for notexistingkey"]}{code}
 

  was:
Calling the search API on Users, Groups or AnyObjects like the following example returns 404
in case of object not found even with not authenticated calls. This could be exploited to
"guess" usernames or (in general) keys of objects.

Request:

 
{code:java}
curl -X GET "http://[mysyncopedomain]:[mysyncopeport]/syncope/rest/users/notexistingkey" -H
"accept: */*" -H "X-Syncope-Domain: Master"{code}
Response:
{code:java}
{"status":404,"type":"NotFound","elements":["NotFoundException: User, Group or Any Object
for notexistingkey"]}{code}
 


> APIs to read by key return 404 instead of 401 for not authenticated calls
> -------------------------------------------------------------------------
>
>                 Key: SYNCOPE-1428
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1428
>             Project: Syncope
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 2.0.12, 2.1.3
>            Reporter: Andrea Patricelli
>            Assignee: Andrea Patricelli
>            Priority: Major
>             Fix For: 2.0.13, 2.1.4, 3.0.0
>
>
> Calling the read API on Users, Groups or AnyObjects like the following example returns
404 in case of object not found even with not authenticated calls. This could be exploited
to "guess" usernames or (in general) keys of objects.
> Request:
>  
> {code:java}
> curl -X GET "http://[mysyncopedomain]:[mysyncopeport]/syncope/rest/users/notexistingkey"
-H "accept: */*" -H "X-Syncope-Domain: Master"{code}
> Response:
> {code:java}
> {"status":404,"type":"NotFound","elements":["NotFoundException: User, Group or Any Object
for notexistingkey"]}{code}
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message