Project

General

Profile

Actions

Bug #7563

closed

PassiveDNS REST API token displayed to user on connection error

Added by Radko Krkoš almost 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
High
Category:
Development - GUI
Target version:
Start date:
03/01/2022
Due date:
% Done:

100%

Estimated time:
To be discussed:

Description

The complete URL is displayed to the user on communication error with external service. In case of PassiveDNS connection, the URL contains the access token, whích should be kept secret. The current token was already disclosed and must be regenerated, but this has to be also fixed.


Related issues

Related to Mentat - Support #7564: Renew the PassiveDNS REST API tokenClosedRadko Krkoš03/01/2022

Actions
Actions #1

Updated by Radko Krkoš almost 3 years ago

  • Related to Support #7564: Renew the PassiveDNS REST API token added
Actions #2

Updated by Radko Krkoš almost 3 years ago

The reported problem was detected here:
https://mentat-hub.cesnet.cz/mentat/pdnsr/search

Other points of communication between pDNS and Mentat were not analysed and might be also vulnerable.

Actions #3

Updated by Rajmund Hruška almost 3 years ago

  • Assignee set to Rajmund Hruška
  • Target version changed from Backlog to 2.9
Actions #4

Updated by Rajmund Hruška almost 3 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

I fixed the error message in e626dcfa. I checked the other places where pdns is used and there shouldn't be any problems. I also looked at NERD to check if the similar problem exists there but it seems to be fine there.

Actions #5

Updated by Rajmund Hruška almost 3 years ago

  • Status changed from Resolved to In Review
  • To be discussed deleted (Yes)

Merged into devel.

Actions #6

Updated by Pavel Kácha almost 3 years ago

Also FLAB Pentest 2022-03 no. 35

Actions #7

Updated by Pavel Kácha almost 3 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF