Project

General

Profile

Actions

Defect #14650

closed

Security vulnerability in Redmine REST API

Added by Wesley Falcao over 11 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

If I login as a non-administrator and try -

http://localhost:3000/users/

I get a 403 error saying "You are not authorized to access this page".

However, logged in as the same user, I can do

http://localhost:3000/users/1.xml
http://localhost:3000/users/2.xml
...
...
...
http://localhost:3000/users/n.xml

And I can access all the users, including their api keys.

Actions #1

Updated by Jean-Philippe Lang over 11 years ago

  • Private changed from No to Yes
Actions #2

Updated by Jan from Planio www.plan.io almost 9 years ago

  • Status changed from New to Closed
  • Private changed from Yes to No
  • Resolution set to Invalid

Wesley Falcao wrote:

If I login as a non-administrator and try -

http://localhost:3000/users/

I get a 403 error saying "You are not authorized to access this page".

That is intended. There is no public user list for non-admins. /users is the regular admin's user view. This might be seen as a missing feature but not a security problem.

However, logged in as the same user, I can do

http://localhost:3000/users/1.xml
http://localhost:3000/users/2.xml
...
...
...
http://localhost:3000/users/n.xml

This also works "as intended". Users are also able to use the non-API version of these links to see the same details:

Users can define however in their My Account page if their email address may be shown on these pages or not.

And I can access all the users, including their api keys.

Nobody here was able to reproduce this particular claim. API keys are only shown if you are in fact admin or if you are looking at your own user.

Actions

Also available in: Atom PDF