ILMT / SUA - REST API - Authentication and session timeout

GarySmith · October 14, 2015, 2:55pm

Hi

I’ve been spending some time working with the BigFix Inventory REST API, and have been using a web browser to explore the API. Two things that I have noticed are:

Authentication - a user can login to the BigFix Inventory admin interface, then change the URL to point to the API, and the user can access the resources without having to specify an authentication token. Although this has made my job easier, is it not a potential security vulnerability?

Session Timeout - as a user logged into the BigFix Inventory admin interface, the session timeout takes effect, and the user has to login again if the session has been inactive for some time. But, using the authentication technique mentioned above to access the API from a web browser, the session timeout does not take effect. The user can remain on the page indefinitely and does not need to re-authenticate. This is a security vulnerability.

As the REST API would generally not be published externally, it is of limited risk, but thought it would be worth pointing out.

Cheers

Gary

MichalPaluch · October 15, 2015, 8:23am

@GarySmith
Those concerns apply to 9.2.1 ?

GarySmith · October 15, 2015, 8:26am

Hi Michal - @michalpaluch

Yes, these concerns are present in 9.2.0 and 9.2.1.

Thanks

Gary
-=-

kfabjans · October 16, 2015, 9:36am

Hi Gary,

Authentication through user/password and then changing the url to REST API calls is not a vulnerability issue. However
combined with your finding it becomes a security concern.

Can you please provide some scenarios in which and how did you verify that the user session is actually never expired ?
Have you logged it using browser, than save the cookies. Wait for some time (how long ?). Open again browser, and re-used old cookies and verified that the urls/API urls are still working ?

or just wait for some time (how long ?) with the open browser and the session was still active. IF this is the case on which panel have you waited ?

GarySmith · October 16, 2015, 9:51am

Hi @kfabjans

The observations that I have made is that when leaving the browser open on an API call for an extended period, I can return to the browser and refresh the call or navigate to another API method without needing to re-authenticate. I have left the web browser open overnight on occasions, so some ~16 hours, and the session has still been active.

The same issue is not present in the ILMT web admin interface, this does time out after a period of activity, it is just on the API calls made via the web browser that I have noticed this.

So just to confirm, I navigate to the ILMT web admin interface, login, then change the URL in the web browser to make it an API method call, and the data is retrieved. I can then leave the browser page open, and after an extended period either refresh the page to return the same results, or type in a new API method and the results are returned.

I hope this helps.

Cheers

Gary

kfabjans · October 16, 2015, 10:46am

For me this sounds as a valid code defect. Please open a service request (PMR) and e-mail the number to me: krzysztof.fabjanski@pl.ibm.com