Scalaxy has an API security hole for a week
It all started with the fact that on March 15th in Oversana they updated Scalaxy software . The cloud control panel did not work for several hours.
When it finally earned, I needed to configure the server to be enabled by API. Alas, the list of servers in my “project” was not given to me - the connection timed out. “We haven’t raised the API yet” - I thought and somehow forgot for a week. Today I tried again, and was extremely unpleasantly surprised ...
For a week, nothing has changed.
I thought - increased the timeout from 5 to 60 seconds. I get JSON on 2.7MB. I look inside - and there, it seems, instead of the list of my servers - all cloud servers.
First of all I wrote to the support, then I went to see what I could do with the servers (Of course, on my other account, I don’t need someone else’s servers).
API requests are of the form www.scalaxy.ru/api/projects/ID_PROJECT/instances/ID_INSTANTS/ ACTION.json
The first attempt with the correct ID, gave me a ban on access.
After changing the real project ID to the project ID on the account from which the request was made, I successfully received information on the instance.
Then I decided to try to turn on the instance, but since I was not in a hurry, by that time the bug was already closed, because I cannot exactly answer the question whether it was possible to enable / change / delete instances on other accounts, but I have every reason to believe that it is possible.
In the dry residue:
1) A week it was possible by the API to at least view information about all the servers of the cloud, and, possibly, manage them.
2) Time to fix the problem after contacting support via tickets for 30-45 minutes.
When it finally earned, I needed to configure the server to be enabled by API. Alas, the list of servers in my “project” was not given to me - the connection timed out. “We haven’t raised the API yet” - I thought and somehow forgot for a week. Today I tried again, and was extremely unpleasantly surprised ...
For a week, nothing has changed.
I thought - increased the timeout from 5 to 60 seconds. I get JSON on 2.7MB. I look inside - and there, it seems, instead of the list of my servers - all cloud servers.
First of all I wrote to the support, then I went to see what I could do with the servers (Of course, on my other account, I don’t need someone else’s servers).
API requests are of the form www.scalaxy.ru/api/projects/ID_PROJECT/instances/ID_INSTANTS/ ACTION.json
The first attempt with the correct ID, gave me a ban on access.
After changing the real project ID to the project ID on the account from which the request was made, I successfully received information on the instance.
Then I decided to try to turn on the instance, but since I was not in a hurry, by that time the bug was already closed, because I cannot exactly answer the question whether it was possible to enable / change / delete instances on other accounts, but I have every reason to believe that it is possible.
In the dry residue:
1) A week it was possible by the API to at least view information about all the servers of the cloud, and, possibly, manage them.
2) Time to fix the problem after contacting support via tickets for 30-45 minutes.
')
Source: https://habr.com/ru/post/140525/
All Articles