Affects Version/s: None
Fix Version/s: None
From: Josh Kwan berkeley
Sent: Wednesday, November 18, 2015 1:38 PM
To: Chris Hyzer
Subject: Re: Grouper Security Vulnerability
I forgot to also include this other issue. I won't produce an advisory for it as it is pretty minor. Here are the details:
By default, Grouper's UI allows you to view 10, 25, 50, or 100 results per page for a given search query. By modifying the pagingTagPageSize parameter, it is possible to increase the results per page.
POST /gms/grouperUi/app/UiV2Main.searchFormSubmit HTTP/1.1
Example: A search query for "smith" yielded 340 results. Changing pagingTagPageSize parameter to 400 allows viewing of all results on a single page.
As I noted in our internal report:
"This could have potential performance and/or DoS impacts, or more easily allow full enumeration of the LDAP or other Grouper connected directory."
I did not test for DoS or performance impacts and I'm not sure if Grouper really cares about a hard restraint of 100 results per page, but wanted to bring this to your attention.