Administration rest controller protected from unauthorized access

Submitted by Anna Géczi on 15 October, 2019 - 09:07

PCS NG version (prod and all test systems)

JIRA nr.
Issue type
OTRS ticket nr.
OTRS ticket description

Dear Support,
When we are logged in in PCS we can do more than what should be allowed … 
It’s possible to call the edit Page of User with User Id xxx without security check.
We can change and save everything of our agency user, and also from complete different agency users!/app/user/editUser/1/xxx
Our user of our agency  : 

User of complete other agency  : 

Change mails whatever … 

Changing, editing roles is possible

Adding new roles like “PCS Admin” is possible 

So we can give us the “PCS Admin” role, and then we have more rights, to add new user, agency, edit timetable and so on



PCS UI Rest Service
It’s possible through the Angular REST Service which communicates between Angular form and Server to get all data, even data we should not have access :
For example with our user we search Dossier 193315 and open it in form :!/app/dossier/193315//details/basic/view

We search for Dossier 193316, UI tells us it’s not existing in system : 

BUT through the REST Service we have access to the dossier 193316, so we can fetch Dossier JSON and other Information’s from this dossier :

Or we fetch from a different user xxx  his settings :
It seems we can call all Rest Service Methods without checks if we are allowed too ..
Kind Regards,

Neue Informationstechnologien GmbH
Rooseveltplatz 4-5, Top 13, 1090 Wien
Tel +43 1 3679165-214
Mobil +43 699 11685499

Unsere Datenschutzerklärung als Informationspflicht lt. DSGVO

-- This email was Anti Virus checked by 2 AV Engines.

NCA Comment

Unfortunately the claims in the ticket are correct. However...

1. User editing urls are not known or accessible to regular users, only to admin users. Which brings us to a more dangerous thing, how did anyone outside of the PCS team know the username and password of the admin user? Then besides reverse engineering to find out the urls someone needs to know the user id that is also not available in the system for regular users. We will restrict the access to these urls in the patch at the end of this week. But again the most worrying part is the knowledge of the admin passwords. We will change them on all systems. Mr. Dadlik must be made aware that sharing this information that he has found or the usernames, user id's and passwords of any user including his own with others is forbidden and illegal.

2. The issue with REST endpoint not implementing ACL rules is known since 2015 and it was raised by Mr. Dadlik back then. Implementation was never done for this as to lack of time. If it is really dangerous? probably not that much. Again it requires some knowledge on how to investigate, reverse engineer and understand the data and have the malicious intent in the first place. The access with the exact user can afterwards be found in our logs and this information can then be used to take legal action against such individual. Fixing this will require more effort but we can plan this for some of the next patches.

Taken in Patch Release
Friday, 29 June, 2018