[SOLVED] Proxmox security issue

M

Maher Khalil

Member
Jul 11, 2021
232
10
23
44
Hello
I am using proxmox with engine as revers proxy. what I found out is that if anyone put a link with api as mentioned below, he can get a reply with all the machine (photo is attached) configuration data
the link: https://subdomain.example.com/pi2/extjs/nodes/subdomain/qemu/vmid/config
I think he should get a reply access denied, right?
Do I miss something?
Notes: I am using latest proxmox version 7.4-3
 
Last edited:
Hi,
Maher Khalil said:
I think he should get a reply access denied, right?
Do I miss something?
Click to expand...
Off the top of my head, I can think of two possible reasons that could explain this behavior:
  1. You logged in to the Proxmox VE system, so when accessing the API directly in your browser you still got a valid PVETicket cookie (expires after two hours since closing the PVE Web UI), which authorized you to access said API.
    This can be simply tested by opening a private browsing mode window in your browser and retry this test, you should get a permission error. Alternatively you could also just try a plain curl or wget CLI command:
    curl https://subdomain.example.com/pi2/extjs/nodes/subdomain/qemu/vmid/config

  2. You set an Authorization header with a privileged API token when reverse proxying, which would authenticate any request as that user, and thus certainly not ideal for most setups; especially those that are publicly accessible and cannot be firewalled off.
If it isn't 1., it'd be good if you could post the config of your (redacted!) nginx reverse proxy.
 
You must log in or register to reply here.
Top Bottom