Feed.aspx Authentication Bypass Vulnerability

[palkema]

Hi, I wanted to report a serious authentication bypass vulnerability in BugNet. In BugNet, you can require authentication in order to search or view tickets. This works well, however when these authentication measures are required, the Feed.aspx page still exposes all of this data via an RSS feed which could allow the general public to download / view tickets or bugs that shouldn't be open to the public.

My Proof of Concept is as Follows.

Browse to any of the below urls on the BugNet implemented project. /Feed.aspx?pid=1&channel=1 /Feed.aspx?pid=1&channel=2 /Feed.aspx?pid=1&channel=3 /Feed.aspx?pid=1&channel=4 /Feed.aspx?pid=1&channel=5 /Feed.aspx?pid=1&channel=6 /Feed.aspx?pid=1&channel=7 /Feed.aspx?pid=1&channel=8

Some of these may fail, but chances are one or two of them will expose data.

Google Dorking It may take some time, but search on Google in quotes, "Powered by BugNET 1.6". Ctrl click on a bunch of these that show up in Google and append the above url's. Many will work expose this data.

Recommended fix We should do two things to help with this issue.

1. We should add a robots.txt file to the index of the project that contains: User-agent: * Disallow: /
2. The feed.aspx page shouldn't work, unless you're logged in, or you had designated a white listed IP that can pull this RSS information

Hope this information helps!

-Paul Alkema

[palkema]

An additional proof of concept. The BugNet demo site is as I described above, where all tickets require you to log in to view submitted tickets, however the Feed.aspx page exposes this data with out logging in.

http://demo.bugnetproject.com/Feed.aspx?pid=1&channel=7