Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Showing results for 
Search instead for 
Did you mean: 
YoussefBelloum
Champion
Champion

Qliksense Entreprise security issue

Hi everyone, @Michael_Tarallo @Sonja_Bauernfeind 

I hope you're doing well.

Qliksense version : August 2023 patch 10.

We had an audit on my client's cluster today and the pentester had the idea of ​​trying to open a developer application (still hosted on his workspace), via the application ID, on another developer session, and to my surprise, the application opens.

==> User1 can open private app of User2, using his app ID (at the end of the url), without any admin role.

applications hosted on streams (and protected by security rules) seems to be ok..luckily.

We use SAML virtual proxy to authenticate.

I know it's not a common case (applications id's are not listed or shared on the hub). but I need to know if this is a normal behaviour please ?

Thank you.

-Youssef

Labels (2)
9 Replies
steeefan
Luminary
Luminary

It indeed seems to be a normal behaviour. I can reproduce it on February 2024 Patch 3. I've never thought of it but that indeed could be an issue. Good catch!

YoussefBelloum
Champion
Champion
Author

Thank you for testing and for your feedback.

If I have anything new, I'll share it here.

YoussefBelloum
Champion
Champion
Author

@steeefan 

Second day of the audit:

Applications on the streams are finally impacted.. 

Also, on the dev-hub: every authenticated user (SAML) can see all the extensions, mashups made. they can also access the engine api explorer and can make call on all the applications of the cluster..

Can you confirm this please ?

Nicolae_Alecu
Creator
Creator

Hello @YoussefBelloum ,

I think that DEV-HUB it's on another topic. A feature request was raised back in 2019, but there is no solution yet.

 

See this post:

https://community.qlik.com/t5/Deployment-Management/Is-there-a-way-to-hide-DEV-HUB-in-QMC/td-p/15459...

RafaelBarrios
Partner - Specialist
Partner - Specialist

Hello @YoussefBelloum 

Actually, it can happen, in my installation it happens for the root admin and/or other custom properties, but i can see we have a rule created that does allow it
while for a regular user, an "access denied" message is received

RafaelBarrios_0-1716968204929.png

 

I would recommend reviewing the security rules that are being applied through the audit module.

RafaelBarrios_1-1716968274800.png

in my case, you can see is a custom security rule that only applies to Hub

 

Hope this helps.

Best

 

YoussefBelloum
Champion
Champion
Author

Hi @Nicolae_Alecu 

Thank you for your feedback.

Actually I'm aware about this and we are not trying to hide the dev-hub section.

I'm just saying that as a simple user who is authorised on two streams for example, I can see ALL the mashups, extensions present on the server (and edit them), I can also use the api engine explorer to make calls on ALL the applications present on the server.. 

YoussefBelloum
Champion
Champion
Author

Hi @RafaelBarrios 

Thank you for your feedback.

Of course we have a security rule on every stream to give access only to authorized people, via the user.environment.group (that uses SAML attributes)

On the hub, everything is ok, as a simple user, I see only the streams that I'm authorized on..

here is a detailed example: (random app id for example: 1234-4567-6789)

this app id is pressent on a stream that I'm not authorized on.

  • On the hub: I can't see the app, because I can't see the stream ==> ok
  • On the audit section: If I filter on that app id and on my profile ==> no record found (I don't know if this is ok)
  • On the url, when I add the app id manually (xxxx/sense/app/1234-4567-6789) ==> the app opens (this is NOT ok)
Or
MVP
MVP

@YoussefBelloum Sounds like this might be better reported to Qlik Support, rather than placed in the open, as it seems like there may be potential for abuse if these are actually security issues (and they sound like pretty serious issues to me).

YoussefBelloum
Champion
Champion
Author

Hi @Or 

Thank you for your feedback.

You're right, but initially I created this thread to know if it is a normal behaviour. Until now didn't get any official feedback or message telling me it's an issue..

If I'm asked to delete this by a community manager, I'll do it.