Issue 46: Cisco and Facebook patch APIs, Solr API parameter injection


This week, Cisco and Facebook have patched their APIs, a detailed report on Solr parameter injection is out, and GitHub continues their fight against API keys and tokens in public repositories.

Vulnerabilities: Cisco

Cisco has released patches for several critical API security flaws ย in its Cisco Unified Computing System (UCS) software and Small Business 220 Series Smart Switch routers. The flaws center around the APIs behind the web-based management interfaces.

With both UCS Director and UCS Director Express for Big Data, improper handling of authentication requests and insufficient validation of request headers could allow attackers either bypass the authentication completely, or login using the SCP User account that had default credentials. Attackers could then execute arbitrary commands, or even get administrator access.

On router side, insufficient authorization checks could allow attackers to send malicious requests to modify the device configuration or inject a reverse shell. Another vulnerability could allow an unauthenticated attacker to trigger a buffer overflow and subsequently remotely execute arbitrary code.

Yet another lesson on the importance of proper validation of all parameters, payloads and headers coming in, as well as proper authorization implementation.

Vulnerabilities: Facebook

In a less sinister case, an authorization vulnerability (aka IDOR) in Facebook API allowed Philippe Harewood to disassociate the profile picture of any user from their profile.

profile_picture_remove API call had a profile_id parameter that an attacker could substitute with an ID of any other Facebook user.

Although the disassociated picture was not deleted from the account and the profile picture was replaced with the Facebook’s default one, this is still an authorization vulnerability so something Facebook fixed with the bounty award sent to the researcher.

Vulnerabilities: Apache Solr Injection

Apache Solr is an open source enterprise search platform. The Solr API uses only HTTP protocol and is available without any authentication by default.

In his research, Michael Stepankin from Veracode has explored how this could turn into an exploitable vulnerability. He discusses, for example:

  • Solr Parameters Injection (HTTP smuggling)
  • Solr Local Parameters Injection
  • Remote code execution (RCE) through Apache Solar Injection

All examples have details and sample API calls.

Tools: GitHub Token Scanning service

Leaked API keys remain one of the major sources of API breaches. Just like with a username and password, anyone having an API key can invoke an external API on your behalf. For example, this is how Samsung SmartThings service got hacked recently.

About a year ago, GitHub started their Token Scanning service that identifies tokens shared in public repositories. The service only works with tokens from specific vendors in formats known to it. Not only does the developer get notified, GitHub also tells the corresponding partner about the leak so the token can get revoked.

The service initially launched with support for tokens from Alibaba Cloud, AWS, Azure, Google Cloud, Mailgun, npm, Slack, Stripe, and Twilio.

GitHub has just reported crossing the treshold of 1 bln potential tokens identified, and added more partners: Atlassian, Dropbox, Discord, Proctorio, and Pulumi.

The 1 billion mark is staggering by itself. Shows how wide-spread the issue is.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy