

Security Advisory WSO2-2017-0218

Published: March 06, 2017

---

AFFECTED PRODUCTS

• WSO2 API Manager 2.1.0

OVERVIEW

WSO2 API Manager Publisher and Store are vulnerable to a possible insider attack.

DESCRIPTION

When a reverse proxy is deployed in front of API Manager Publisher/Store, it is required to expose /registry as well from the reverse proxy to view API icons/images. Due to this, an attacker can access other registry resources which are exposed from /registry.

IMPACT

An attacker with access to API Manager Publisher/Store is able to browse the registry once the registry resource paths are found from a local API Manager instance.

SOLUTION

Expose only the required registry resources other than exposing whole /registry from the reverse proxy.

Required registry resource path : /registry/resource/_system/governance/apimgt/applicationdata/icons/

Example:

Nginx server configurations

For API Publisher/ Store, the registry path below should be exposed in reverse proxy configurations.

API Publisher

location ~ ^/apimanager/publisher/(.*)registry/resource/_system/governance/apimgt applicationdata/icons/(.*)$ {
    index index.html;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
}

API Store

location ~ ^/apimanager/store/(.*)registry/resource/_system/governance/apimgt/applicationdata/icons/(.*)$ {
    index index.html;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
}

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.