You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by "Andrea Patricelli (JIRA)" <ji...@apache.org> on 2019/01/25 14:40:00 UTC

[jira] [Created] (SYNCOPE-1428) APIs to search by key return 404 instead of 401 for not authenticated calls

Andrea Patricelli created SYNCOPE-1428:
------------------------------------------

             Summary: APIs to search by key return 404 instead of 401 for not authenticated calls
                 Key: SYNCOPE-1428
                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1428
             Project: Syncope
          Issue Type: Bug
          Components: core
    Affects Versions: 2.1.3, 2.0.12
            Reporter: Andrea Patricelli
            Assignee: Andrea Patricelli
             Fix For: 2.0.13, 2.1.4, 3.0.0


Calling the search API on Users, Groups or AnyObjects like the following example returns 404 in case of object not found even with not authenticated calls. This could be exploited to "guess" usernames or (in general) keys of objects.

Request:

 
{code:java}
curl -X GET "http://[mysyncopedomain]:[mysyncopeport]/syncope/rest/users/notexistingkey" -H "accept: */*" -H "X-Syncope-Domain: Master"{code}
Response:
{code:java}
{"status":404,"type":"NotFound","elements":["NotFoundException: User, Group or Any Object for notexistingkey"]}{code}
 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)