This can happen when an admin creates a space that has sensitive information accessible via the API.
For example, if an admin creates a space called “HR” and has it setup where anyone can create an account, then it is possible that an admin will accidentally create an account with a privileged role in the “HR” space.
If an admin visits the space that they created called “HR” via X-ray and is viewing the account creation page, they will see that the account creation page has verbose error messaging.
An error message will display something like this
Access to the resource ‘Accounts’ has been denied.
The error message can be misleading, as it may lead an admin to believe that the system has blocked access to the space.
In reality though, this is only an error message, there is no access restriction.
In order to reveal the existence of the account in the “HR” space, an admin can simply visit the space via X-ray and view the account creation page.
How to Bypass the Verbose Error Message in X-ray
To bypass the verbose error message, simply visit the space via X-ray and view the account creation page.
Admin can create an account with privileged role
An admin can create an account with a privileged role in the “HR” space through the API. This happens when an admin creates a space with the name “HR,” but doesn’t have the necessary permissions to create accounts, and uses their own privileges to do so.
This happened in CVE-2022-2508 and resulted in a malicious user creating an account with a privileged role in the “HR” space and viewing sensitive information via X-ray.
2.8.1 How to Bypass Verification on an Account Creation Page
The request has been denied by the Account Creation Page
1. Access the account via X-Ray.
2. Click on ‘X-Ray’ and scroll down to ‘Accounts’
Timeline
Published on: 10/27/2022 10:15:00 UTC
Last modified on: 10/28/2022 19:41:00 UTC