Open Grafana Registration - https://earthangel-b40313e5.influxcloud.net/
Categories
(Websites :: Other, task)
Tracking
(Not tracked)
People
(Reporter: griffin.francis.1993, Unassigned)
References
()
Details
(Keywords: reporter-external, sec-high, wsec-authorization, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(2 files)
The Grafana instance situated at https://earthangel-b40313e5.influxcloud.net/ is ready available for anyone to signup.
Once authenticated I was able to view all Dashboards for the Mozilla organisation.
Reporter | ||
Comment 1•3 years ago
|
||
Reporter | ||
Comment 2•3 years ago
|
||
Found mention to this Grafana instance within Slack.
Reporter | ||
Comment 3•3 years ago
|
||
Thanks Griffin, I'm not sure whether it's supposed to be accessible org-wide or not.
:bpitts what access controls does grafana have? should access be limited to certain teams?
Comment 5•3 years ago
|
||
THe ability to log in should be limited to employees and members of one specific mozillans group.
https://github.com/mozilla-iam/sso-dashboard-configuration/blob/master/apps.yml#L2036-L2048
I attempted to authenticate with Github and failed, so I think that SSO is okay.
Looks like the problem is that it is also possible to log in without SSO by creating an account at https://earthangel-b40313e5.influxcloud.net/signup !
I was able to do that and reproduce the issue.
InfluxData provides an option at https://cloud.influxdata.com/manager to enable signup to Grafana, which is on by default. I just turned it off. I do not see a way to sign up anymore, so I think this issue is resolved.
Comment 6•3 years ago
|
||
Griffin, I've deleted your account. If you are still able to log in some how please let us know.
Reporter | ||
Comment 7•3 years ago
|
||
Thanks. Can confirm that the account has been removed. Just as a FYI I was looking at some of the POST requests the application was making and I could structure some requests to the databases that were associated with the application.
GET /api/datasources/proxy/3/query?db=dataops&q=SHOW%20DATABASES%20&epoch=ms HTTP/2
Host: earthangel-b40313e5.influxcloud.net
Cookie: grafana_session=3ab25ab054dc7c9a50e998221a74837a
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: application/json, text/plain, /
X-Grafana-Org-Id: 1
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://earthangel-b40313e5.influxcloud.net/explore?orgId=1&left=%5B%22now-1h%22,%22now%22,%22dataops%22,%7B%22policy%22:%22default%22,%22resultFormat%22:%22time_series%22,%22orderByTime%22:%22ASC%22,%22tags%22:%5B%5D,%22groupBy%22:%5B%7B%22type%22:%22time%22,%22params%22:%5B%22$__interval%22%5D%7D,%7B%22type%22:%22fill%22,%22params%22:%5B%22null%22%5D%7D%5D,%22select%22:%5B%5B%7B%22type%22:%22field%22,%22params%22:%5B%22value%22%5D%7D,%7B%22type%22:%22mean%22,%22params%22:%5B%5D%7D%5D%5D%7D%5D
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
HTTP/2 200 OK
Date: Mon, 30 Aug 2021 22:39:41 GMT
Content-Type: application/json
Request-Id: 2a81562b-09e3-11ec-8def-0242ac110004
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Influxdb-Build: ENT
X-Influxdb-Version: 1.9.3-c1.9.3
X-Request-Id: 2a81562b-09e3-11ec-8def-0242ac110004
X-Xss-Protection: 1; mode=block
{"results":[{"statement_id":0,"series":[{"name":"databases","columns":["name"],"values":[["svcops"],["dataops"],["relops"],["releng"],["firefoxvcs"],["svcops_aws"],["relops_workers"],["sallt"],["mixedreality"],["performance"],["mozmeao"],["mozilla_it_telegraf"],["mozilla_icinga2"],["mozilla_it_ldap"],["websre"]]}]}]}
Reporter | ||
Comment 8•3 years ago
|
||
Some of the structures associated with these DB calls were very interesting. Wish I had more time to dig around more! Was some mentions of keys etc here.
Comment 10•3 years ago
|
||
Resolving based on https://bugzilla.mozilla.org/show_bug.cgi?id=1728221#c5
Comment 11•3 years ago
|
||
For bug bounty purposes we're going to consider this an "Authentication Bypass". This is not one of our "Core" sites itself, but it is used for monitoring attacks on those sites so we're going to award more than the "Other sites" default bounty.
Updated•8 months ago
|
Updated•7 months ago
|
Description
•