Qliksense Entreprise security issue

YoussefBelloum · ‎2024-05-27

Hi everyone, @Michael_Tarallo @Sonja_Bauernfeind

I hope you're doing well.

Qliksense version : August 2023 patch 10.

We had an audit on my client's cluster today and the pentester had the idea of trying to open a developer application (still hosted on his workspace), via the application ID, on another developer session, and to my surprise, the application opens.

==> User1 can open private app of User2, using his app ID (at the end of the url), without any admin role.

applications hosted on streams (and protected by security rules) seems to be ok..luckily.

We use SAML virtual proxy to authenticate.

I know it's not a common case (applications id's are not listed or shared on the hub). but I need to know if this is a normal behaviour please ?

Thank you.

-Youssef

steeefan · ‎2024-05-28

It indeed seems to be a normal behaviour. I can reproduce it on February 2024 Patch 3. I've never thought of it but that indeed could be an issue. Good catch!

YoussefBelloum · ‎2024-05-28

Thank you for testing and for your feedback.

If I have anything new, I'll share it here.

YoussefBelloum · ‎2024-05-28

@steeefan

Second day of the audit:

Applications on the streams are finally impacted..

Also, on the dev-hub: every authenticated user (SAML) can see all the extensions, mashups made. they can also access the engine api explorer and can make call on all the applications of the cluster..

Can you confirm this please ?

Nicolae_Alecu · ‎2024-05-29

Hello @YoussefBelloum ,

I think that DEV-HUB it's on another topic. A feature request was raised back in 2019, but there is no solution yet.

See this post:

https://community.qlik.com/t5/Deployment-Management/Is-there-a-way-to-hide-DEV-HUB-in-QMC/td-p/15459...

RafaelBarrios · ‎2024-05-29

Hello @YoussefBelloum

Actually, it can happen, in my installation it happens for the root admin and/or other custom properties, but i can see we have a rule created that does allow it
while for a regular user, an "access denied" message is received

I would recommend reviewing the security rules that are being applied through the audit module.

in my case, you can see is a custom security rule that only applies to Hub

Hope this helps.

Best

YoussefBelloum · ‎2024-05-29

Hi @Nicolae_Alecu

Thank you for your feedback.

Actually I'm aware about this and we are not trying to hide the dev-hub section.

I'm just saying that as a simple user who is authorised on two streams for example, I can see ALL the mashups, extensions present on the server (and edit them), I can also use the api engine explorer to make calls on ALL the applications present on the server..

YoussefBelloum · ‎2024-05-29

Hi @RafaelBarrios

Thank you for your feedback.

Of course we have a security rule on every stream to give access only to authorized people, via the user.environment.group (that uses SAML attributes)

On the hub, everything is ok, as a simple user, I see only the streams that I'm authorized on..

here is a detailed example: (random app id for example: 1234-4567-6789)

this app id is pressent on a stream that I'm not authorized on.

On the hub: I can't see the app, because I can't see the stream ==> ok
On the audit section: If I filter on that app id and on my profile ==> no record found (I don't know if this is ok)
On the url, when I add the app id manually (xxxx/sense/app/1234-4567-6789) ==> the app opens (this is NOT ok)

Or · ‎2024-05-29

@YoussefBelloum Sounds like this might be better reported to Qlik Support, rather than placed in the open, as it seems like there may be potential for abuse if these are actually security issues (and they sound like pretty serious issues to me).

YoussefBelloum · ‎2024-05-30

Hi @Or

Thank you for your feedback.

You're right, but initially I created this thread to know if it is a normal behaviour. Until now didn't get any official feedback or message telling me it's an issue..

If I'm asked to delete this by a community manager, I'll do it.

Client Managed

QMC