Embedded Crowd passes sensitive paramaters in the URL when adding a new or editing an existing user directory.

XMLWordPrintable

    • 1
    • Severity 3 - Minor

      Issue Summary

      While adding a new directory or editing an existing one the embedded crowd passes directoryId, xsrfTokenName and xsrfTokenValue parameters to the URL.

      Environment

      1. Bitbucket 6.9.X, 7.4.X, 7.5.X, 7.6.X

      Steps to Reproduce

      1. In Bitbucket navigate to Gear Icon > User Directories;
      2. Click Add Directory and chose any option;
        1. Or edit an existing user directory;

      Actual Results

      Crowd will form a URL with the following details in it

      • While adding a new user directory 
        <BASE URL>/plugins/servlet/embedded-crowd/configure/activedirectory/?xsrfTokenName=<TOKEN_NAME>&xsrfTokenValue=<TOKEN_VALUE>
      • While editing an existing user directory 
        <BASE URL>/plugins/servlet/embedded-crowd/configure/ldap/?
directoryId=<DIR_ID>&xsrfTokenName=<TOKEN_NAME>&xsrfTokenValue=<TOKEN_VALUE>

      Expected Results

      Embedded Crowd should hide the parameters from the URL

      Notes

      The URL shows sensitive details about the application that could lead to security issues.

      Workaround

      No workaround available at the moment.

            Assignee:
            Patryk
            Reporter:
            Douglas Gnoato
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: