Details
-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
Description
From: Josh Kwan berkeley
Sent: Wednesday, November 18, 2015 1:38 PM
To: Chris Hyzer
Cc: ktriley
Subject: Re: Grouper Security Vulnerability
Hi Chris,
I forgot to also include this other issue. I won't produce an advisory for it as it is pretty minor. Here are the details:
By default, Grouper's UI allows you to view 10, 25, 50, or 100 results per page for a given search query. By modifying the pagingTagPageSize parameter, it is possible to increase the results per page.
POST /gms/grouperUi/app/UiV2Main.searchFormSubmit HTTP/1.1
Host: grouper.example.com
[...truncated...]
pagingTagPageSize=400&searchQuery=smith [...truncated...]
Example: A search query for "smith" yielded 340 results. Changing pagingTagPageSize parameter to 400 allows viewing of all results on a single page.
As I noted in our internal report:
"This could have potential performance and/or DoS impacts, or more easily allow full enumeration of the LDAP or other Grouper connected directory."
I did not test for DoS or performance impacts and I'm not sure if Grouper really cares about a hard restraint of 100 results per page, but wanted to bring this to your attention.
Thanks,
Josh