New Relic: Unauthorized Access

2016-02-13T00:46:56
ID H1:116179
Type hackerone
Reporter bulba
Modified 2017-03-20T01:38:39

Description

Summary of Findings

The remote server (https://download.newrelic.com) allowed unauthenticated access to special access files that are only intended to be accessible after contacting the New Relic program managers as seen below.

Exploiting the Vulnerability/Mis-configuration

By performing search engine analysis, I was able to identify the name of a child directory /eclipse-established which appears to contain various source files related to special access/beta program application testing as seen below:

Concluding Remarks/Remediation Advice

Obviously there is a slight possibility that this was the intended function and that there was not supposed to be any type of access control over these directories - The reason that I may have identified this as a false positive is due to the fact that when a user tries to access the /android_agent directory they are provided with the instructions to contact support.

If this is the case and it is a mis-configuration, one option would be to enforce http basic authentication with something similar to the below example:

server {
   listen 80;
   server_name www.example.com example.com;
   root /var/www/www.example.com/web;
[...]
   location /eclipse-established {
auth_basic "Restricted";
auth_basic_user_file /var/www/www.example.com/.htpasswd;
   }
[...]
}