Information Disclosure via url tampering

Disclosed by
charleslerant
Summary by charleslerant

While doing some security research I stumbled upon some information via manual url tampering. This information MAY be public knowledge which is why I submitted this as informational.

After researching it appears that this is a function of Pulse Connect Secure as it allows the creation of a custom help page. But since there doesn't appear to be any "help" links on the login page I'm not sure if this function needs to be enabled, so I figured it would be a good idea to report it. Mainly because it seems to give away the username format, links to what appear to be vpns, as well as the direct e-mail of who to contact if there was an issue logging in. This information may be of use for bad actors.

To reproduce the issue just visit the link https://pm.doi.gov/dana-na/auth/url_c8x42cdx6wWwu0xF/welcome.cgi?p=help

The original url passed the parameter p=no_cert I changed that to p=help.

Report details

  • Submitted

  • Target Location

    *.doi.gov

  • Target category

    Web App

  • VRT

    Sensitive Data Exposure > Disclosure of Known Public Information

  • Priority

    P5
  • Bug URL
    https://pm.doi.gov/dana-na/auth/url_c8x42cdx6wWwu0xF/welcome.cgi?p=help
  • Description

    While doing some security research I stumbled upon some information via manual url tampering. This information MAY be public knowledge which is why I submitted this as informational.

    After researching it appears that this is a function of Pulse Connect Secure as it allows the creation of a custom help page. But since there doesn't appear to be any "help" links on the login page I'm not sure if this function needs to be enabled, so I figured it would be a good idea to report it. Mainly because it seems to give away the username format, links to what appear to be vpns, as well as the direct e-mail of who to contact if there was an issue logging in. This information may be of use for bad actors.

    To reproduce the issue just visit the link https://pm.doi.gov/dana-na/auth/url_c8x42cdx6wWwu0xF/welcome.cgi?p=help

    or use the following

    1) From the main page hover over about and then click employees
    image-2022-01-15T19:13:22.023Z.png

    2) On the login screen click "change password"
    image-2022-01-15T19:14:44.637Z.png

    3) Change the url p=no_cert to p=help and press enter
    image-2022-01-15T19:15:53.065Z.png

    4) The help page is displayed with possible sensitive information not sure if this is public information so I'll leave that to you to further qualify

    image-2022-01-15T19:17:43.029Z.png

    Remediation: recommend that custom help pages in Pulse Connect Secure be turned off in or modified if this information is not for public consumption.

Activity