Administration rest controller protected from unauthorized access

Submitted by Anna Géczi on 15 October, 2019 - 09:07
Basic
Description
Summary

PCS NG version 1.9.2.10 (prod and all test systems)

JIRA nr.
https://extranet.netcetera.biz/jira/browse/RNE014-2183
Issue type
Story
Priority
Major
Details
OTRS ticket nr.
2018062687000094
OTRS ticket description

Dear Support,
 
When we are logged in in PCS we can do more than what should be allowed … 
 
PCS UI 
 
It’s possible to call the edit Page of User with User Id xxx without security check.
We can change and save everything of our agency user, and also from complete different agency users 
 
https://pcs-online.rne.eu/pcs/#!/app/user/editUser/1/xxx
 
Our user of our agency  : 
 

 
 
User of complete other agency  : 
 

 
Change mails whatever … 
 

 
Changing, editing roles is possible
 

 
Adding new roles like “PCS Admin” is possible 
 

 
So we can give us the “PCS Admin” role, and then we have more rights, to add new user, agency, edit timetable and so on
 
 

 
 

 

 
 
 
PCS UI Rest Service
 
It’s possible through the Angular REST Service which communicates between Angular form and Server to get all data, even data we should not have access :
 
For example with our user we search Dossier 193315 and open it in form : 
 

 
 
https://pcs-online.rne.eu/pcs/#!/app/dossier/193315//details/basic/view
 

 
We search for Dossier 193316, UI tells us it’s not existing in system : 
 

 
BUT through the REST Service we have access to the dossier 193316, so we can fetch Dossier JSON and other Information’s from this dossier : 
 
https://pcs-online.rne.eu/pcs/rest/dossiers/193316
 

 
Or we fetch from a different user xxx  his settings : 
 
https://pcs-online.rne.eu/pcs/rest/user/xxx
 
It seems we can call all Rest Service Methods without checks if we are allowed too ..
 
Kind Regards,
 
ANDREAS
DADLIK
SOFTWAREARCHITEKT
 

Neue Informationstechnologien GmbH
Rooseveltplatz 4-5, Top 13, 1090 Wien
Tel +43 1 3679165-214
Mobil +43 699 11685499
andreas.dadlik@ace.at
www.ace.at
 

 
Unsere Datenschutzerklärung als Informationspflicht lt. DSGVO
 

-- This email was Anti Virus checked by 2 AV Engines.

NCA Comment

Unfortunately the claims in the ticket are correct. However...

1. User editing urls are not known or accessible to regular users, only to admin users. Which brings us to a more dangerous thing, how did anyone outside of the PCS team know the username and password of the admin user? Then besides reverse engineering to find out the urls someone needs to know the user id that is also not available in the system for regular users. We will restrict the access to these urls in the patch at the end of this week. But again the most worrying part is the knowledge of the admin passwords. We will change them on all systems. Mr. Dadlik must be made aware that sharing this information that he has found or the usernames, user id's and passwords of any user including his own with others is forbidden and illegal.

2. The issue with REST endpoint not implementing ACL rules is known since 2015 and it was raised by Mr. Dadlik back then. Implementation was never done for this as to lack of time. If it is really dangerous? probably not that much. Again it requires some knowledge on how to investigate, reverse engineer and understand the data and have the malicious intent in the first place. The access with the exact user can afterwards be found in our logs and this information can then be used to take legal action against such individual. Fixing this will require more effort but we can plan this for some of the next patches.

Taken in Patch Release
Friday, 29 June, 2018