Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1224

shouldnt be able to change paging size from ui

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: UI
    • Labels:
      None

      Description

      From: Josh Kwan berkeley
      Sent: Wednesday, November 18, 2015 1:38 PM
      To: Chris Hyzer
      Cc: ktriley
      Subject: Re: Grouper Security Vulnerability

      Hi Chris,

      I forgot to also include this other issue. I won't produce an advisory for it as it is pretty minor. Here are the details:

      By default, Grouper's UI allows you to view 10, 25, 50, or 100 results per page for a given search query. By modifying the pagingTagPageSize parameter, it is possible to increase the results per page.

      POST /gms/grouperUi/app/UiV2Main.searchFormSubmit HTTP/1.1
      Host: grouper.example.com
      [...truncated...]
      pagingTagPageSize=400&searchQuery=smith [...truncated...]

      Example: A search query for "smith" yielded 340 results. Changing pagingTagPageSize parameter to 400 allows viewing of all results on a single page.

      As I noted in our internal report:

      "This could have potential performance and/or DoS impacts, or more easily allow full enumeration of the LDAP or other Grouper connected directory."

      I did not test for DoS or performance impacts and I'm not sure if Grouper really cares about a hard restraint of 100 results per page, but wanted to bring this to your attention.

      Thanks,

      Josh

        Attachments

          Activity

            People

            • Assignee:
              mchyzer Chris Hyzer
              Reporter:
              mchyzer Chris Hyzer
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: