Security Advisory WSO2-2017-0218¶
Published: March 06, 2017
AFFECTED PRODUCTS¶
- WSO2 API Manager 2.1.0
OVERVIEW¶
WSO2 API Manager Publisher and Store are vulnerable to a possible insider attack.
DESCRIPTION¶
When a reverse proxy is deployed in front of API Manager Publisher/Store, it is required to expose /registry as well from the reverse proxy to view API icons/images. Due to this, an attacker can access other registry resources which are exposed from /registry.
IMPACT¶
An attacker with access to API Manager Publisher/Store is able to browse the registry once the registry resource paths are found from a local API Manager instance.
SOLUTION¶
Expose only the required registry resources other than exposing whole /registry from the reverse proxy.
Required registry resource path : /registry/resource/_system/governance/apimgt/applicationdata/icons/
Example:
Nginx server configurations
For API Publisher/ Store, the registry path below should be exposed in reverse proxy configurations.
location ~ ^/apimanager/publisher/(.*)registry/resource/_system/governance/apimgt applicationdata/icons/(.*)$ {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
}
location ~ ^/apimanager/store/(.*)registry/resource/_system/governance/apimgt/applicationdata/icons/(.*)$ {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
}
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.