You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@syncope.apache.org by "Andrea Patricelli (JIRA)" <ji...@apache.org> on 2019/01/25 14:40:00 UTC
[jira] [Created] (SYNCOPE-1428) APIs to search by key return 404
instead of 401 for not authenticated calls
Andrea Patricelli created SYNCOPE-1428:
------------------------------------------
Summary: APIs to search by key return 404 instead of 401 for not authenticated calls
Key: SYNCOPE-1428
URL: https://issues.apache.org/jira/browse/SYNCOPE-1428
Project: Syncope
Issue Type: Bug
Components: core
Affects Versions: 2.1.3, 2.0.12
Reporter: Andrea Patricelli
Assignee: Andrea Patricelli
Fix For: 2.0.13, 2.1.4, 3.0.0
Calling the search API on Users, Groups or AnyObjects like the following example returns 404 in case of object not found even with not authenticated calls. This could be exploited to "guess" usernames or (in general) keys of objects.
Request:
{code:java}
curl -X GET "http://[mysyncopedomain]:[mysyncopeport]/syncope/rest/users/notexistingkey" -H "accept: */*" -H "X-Syncope-Domain: Master"{code}
Response:
{code:java}
{"status":404,"type":"NotFound","elements":["NotFoundException: User, Group or Any Object for notexistingkey"]}{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)