Closed Bug 1728221 Opened 3 years ago Closed 3 years ago

Open Grafana Registration - https://earthangel-b40313e5.influxcloud.net/

Categories

(Websites :: Other, task)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: griffin.francis.1993, Unassigned)

References

()

Details

(Keywords: reporter-external, sec-high, wsec-authorization, Whiteboard: [reporter-external] [web-bounty-form] [verif?])

Attachments

(2 files)

The Grafana instance situated at https://earthangel-b40313e5.influxcloud.net/ is ready available for anyone to signup.

Once authenticated I was able to view all Dashboards for the Mozilla organisation.

Flags: sec-bounty?
Attached image grafana.PNG

Found mention to this Grafana instance within Slack.

Thanks Griffin, I'm not sure whether it's supposed to be accessible org-wide or not.

:bpitts what access controls does grafana have? should access be limited to certain teams?

Flags: needinfo?(bpitts)

THe ability to log in should be limited to employees and members of one specific mozillans group.

https://github.com/mozilla-iam/sso-dashboard-configuration/blob/master/apps.yml#L2036-L2048

I attempted to authenticate with Github and failed, so I think that SSO is okay.

Looks like the problem is that it is also possible to log in without SSO by creating an account at https://earthangel-b40313e5.influxcloud.net/signup !

I was able to do that and reproduce the issue.

InfluxData provides an option at https://cloud.influxdata.com/manager to enable signup to Grafana, which is on by default. I just turned it off. I do not see a way to sign up anymore, so I think this issue is resolved.

Flags: needinfo?(bpitts)

Griffin, I've deleted your account. If you are still able to log in some how please let us know.

Thanks. Can confirm that the account has been removed. Just as a FYI I was looking at some of the POST requests the application was making and I could structure some requests to the databases that were associated with the application.

GET /api/datasources/proxy/3/query?db=dataops&q=SHOW%20DATABASES%20&epoch=ms HTTP/2
Host: earthangel-b40313e5.influxcloud.net
Cookie: grafana_session=3ab25ab054dc7c9a50e998221a74837a
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: application/json, text/plain, /
X-Grafana-Org-Id: 1
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://earthangel-b40313e5.influxcloud.net/explore?orgId=1&left=%5B%22now-1h%22,%22now%22,%22dataops%22,%7B%22policy%22:%22default%22,%22resultFormat%22:%22time_series%22,%22orderByTime%22:%22ASC%22,%22tags%22:%5B%5D,%22groupBy%22:%5B%7B%22type%22:%22time%22,%22params%22:%5B%22$__interval%22%5D%7D,%7B%22type%22:%22fill%22,%22params%22:%5B%22null%22%5D%7D%5D,%22select%22:%5B%5B%7B%22type%22:%22field%22,%22params%22:%5B%22value%22%5D%7D,%7B%22type%22:%22mean%22,%22params%22:%5B%5D%7D%5D%5D%7D%5D
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

HTTP/2 200 OK
Date: Mon, 30 Aug 2021 22:39:41 GMT
Content-Type: application/json
Request-Id: 2a81562b-09e3-11ec-8def-0242ac110004
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Influxdb-Build: ENT
X-Influxdb-Version: 1.9.3-c1.9.3
X-Request-Id: 2a81562b-09e3-11ec-8def-0242ac110004
X-Xss-Protection: 1; mode=block
{"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["svcops"],["dataops"],["relops"],["releng"],["firefoxvcs"],["svcops_aws"],["relops_workers"],["sallt"],["mixedreality"],["performance"],["mozmeao"],["mozilla_it_telegraf"],["mozilla_icinga2"],["mozilla_it_ldap"],["websre"]]}]}]}

Some of the structures associated with these DB calls were very interesting. Wish I had more time to dig around more! Was some mentions of keys etc here.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED

For bug bounty purposes we're going to consider this an "Authentication Bypass". This is not one of our "Core" sites itself, but it is used for monitoring attacks on those sites so we're going to award more than the "Other sites" default bounty.

Flags: sec-bounty? → sec-bounty+
Keywords: sec-high
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: