[SOLVED] Proxmox security issue

[Maher Khalil]

Hello
I am using proxmox with engine as revers proxy. what I found out is that if anyone put a link with api as mentioned below, he can get a reply with all the machine (photo is attached) configuration data
the link: https://subdomain.example.com/pi2/extjs/nodes/subdomain/qemu/vmid/config
I think he should get a reply access denied, right?
Do I miss something?
Notes: I am using latest proxmox version 7.4-3

 

[t.lamprecht]

Hi,

I think he should get a reply access denied, right?
Do I miss something?

Off the top of my head, I can think of two possible reasons that could explain this behavior:

1. You logged in to the Proxmox VE system, so when accessing the API directly in your browser you still got a valid PVETicket cookie (expires after two hours since closing the PVE Web UI), which authorized you to access said API.
   This can be simply tested by opening a private browsing mode window in your browser and retry this test, you should get a permission error. Alternatively you could also just try a plain curl or wget CLI command:
   curl https://subdomain.example.com/pi2/extjs/nodes/subdomain/qemu/vmid/config
   
   
2. You set an Authorization header with a privileged API token when reverse proxying, which would authenticate any request as that user, and thus certainly not ideal for most setups; especially those that are publicly accessible and cannot be firewalled off.

If it isn't 1., it'd be good if you could post the config of your (redacted!) nginx reverse proxy.

 

[Maher Khalil]

Hello
It is point number 1.
Thank you very much
I will close this thread