Unprotected subjects query
CLN-011 — Unprotected subjects query
Vulnerability ID: CLN-011
Vulnerability type: Information Exposure
Threat level: Moderate
Description:
Queries for the list of subjects and associated information from the GraphQL backend do not require any authentication.
Technical description:
Following the discovery of GraphQL endpoints that were not properly secured CLN-001 (page 16), we found that queries for subjects (or the equivalent gqlsubjects) will return a list of all subjects and their teachers to an unauthenticated request.
Example curl request:
curl -X GET https://sis5.c-b-e-s.de/graphql/ -H "Content-Type: application/json" -d '{"query":"query
subjects{ items: subjects{id name shortName teachers{id fullName}}}"}'Example response:
{"data":{"items":[{"id":"178","name":"Biologie","shortName":"bio","teachers":
[{"id":"3446","fullName":"Dippel, Janet"},{"id":"3440","fullName":"Etzold, Kathi"},
{"id":"3434","fullName":"Zirme, Marita"}]},{"id":"177","name":"Chemie","shortName":"ch","teachers":
[{"id":"3447","fullName":"Briemer, Roswitha"},{"id":"3446","fullName":"Dippel, Janet"}]},
{"id":"179","name":"Deutsch","shortName":"de","teachers":[{"id":"3441","fullName":"Dehmel,
Elli"},{"id":"3439","fullName":"Etzold, Karl-Peter"},{"id":"3449","fullName":"M\u00fchle,
Brunhilde"},{"id":"3443","fullName":"Reinhardt, Ilka"},{"id":"3448","fullName":"Stroh, Max"}]},
{"id":"180","name":"Englisch","shortName":"en","teachers":[{"id":"3439","fullName":"Etzold, Karl-
Peter"},{"id":"3442","fullName":"Hermann, Sibylla"},{"id":"3431","fullName":"Heser, Wally"}]},
{"id":"181","name":"Franz\u00f6sisch","shortName":"fr","teachers":[{"id":"3432","fullName":"Peukert,
Zeljko"},{"id":"3444","fullName":"Schleich, Sabrina"},{"id":"3434","fullName":"Zirme, Marita"}]},
{"id":"186","name":"Geographie","shortName":"geo","teachers":[{"id":"3437","fullName":"Sauer,
Rosalia"}]},{"id":"188","name":"Informatik","shortName":"if","teachers":
[{"id":"3439","fullName":"Etzold, Karl-Peter"},{"id":"3444","fullName":"Schleich,
Sabrina"}]},{"id":"185","name":"Kunst","shortName":"ku","teachers":
[{"id":"3442","fullName":"Hermann, Sibylla"},{"id":"3430","fullName":"L\u00f6chel, Arthur"}]},
{"id":"175","name":"Mathematik","shortName":"ma","teachers":[{"id":"3446","fullName":"Dippel,
Janet"},{"id":"3433","fullName":"Ladeck, Sinaida"},{"id":"3430","fullName":"L\u00f6chel,
Arthur"},{"id":"3436","fullName":"Naser, Orhan"},{"id":"3434","fullName":"Zirme, Marita"}]},
{"id":"184","name":"Musik","shortName":"mu","teachers":[{"id":"3441","fullName":"Dehmel,
Elli"},{"id":"3430","fullName":"L\u00f6chel, Arthur"},{"id":"3448","fullName":"Stroh, Max"}]},
{"id":"187","name":"Philosophie","shortName":"ph","teachers":[{"id":"3430","fullName":"L
\u00f6chel, Arthur"}]},{"id":"176","name":"Physik","shortName":"phy","teachers":
[{"id":"3447","fullName":"Briemer, Roswitha"},{"id":"3439","fullName":"Etzold, Karl-
Peter"},{"id":"3445","fullName":"Finke, Lothar"},{"id":"3431","fullName":"Heser, Wally"}]},
{"id":"182","name":"Spanisch","shortName":"spaz","teachers":[{"id":"3438","fullName":"Harloff,
Alwina"},{"id":"3433","fullName":"Ladeck, Sinaida"},{"id":"3437","fullName":"Sauer, Rosalia"}]},
{"id":"183","name":"Sport","shortName":"sp","teachers":[{"id":"3432","fullName":"Peukert,
Zeljko"}]}]}}Impact:
Sensitive information in the form of a complete list of the school's subjects and corresponding teachers is available to unauthenticated users.
Recommendation:
Review the permissions protecting queries on subjects and gqlsubject to prevent unauthenticated access.
Activity
added Security part::backend type::bug labels
assigned to @yuha
changed milestone to /AlekSIS%"[NLnet #6 (closed)] Process issues found in testing and security audit"
created branch
38-unprotected-subjects-queryto address this issuementioned in merge request !82 (merged)
closed with commit f0cbe4e1
mentioned in commit f0cbe4e1
