Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

What I think is a major securiy hole in NPM 10.0.0

All,

I use Solarwinds to allow customers to view the status and performance of there leased links. I have a portal which customers log into and they have a URL link to the solarwinds server. I form the URL so users do not have to log in with username/password.

I created a view so users can see just interfaces (viewid=31). I created a user limitation on interface name to limit what interfaces customers can see. User's physical interfaces are labeled based on the customer with a specific string. This is what puts customers ports/circuits into there views.

I notice if I manually manipulate the view id in the URL I can get access to a R/O view of all nodes in the database. There are other view numbers I can inject and see more elements of the database if I wanted. So the limitation tool does not seem to block users from seeing the complete inventory in a database.

test.abc.com/.../SummaryView.aspx

Support did not say this was a bug and said they would send it to development for an enhancement. To me this is punting it to /dev/null and I will not see this fixed anytime soon. I cannot roll this out to customers in its current format. To me this is a huge security hole which will allow customers to see all of the database inventory when they are only supposed to see there purchased ckts and nothing else.

Has anyone seen this one before. Any ideas would be appreciated

Mike

Find more posts tagged with

Accepted answers

All comments

FormerMember

i asked a similar thing some time ago mate and got no where

i went off and tried to make it more secure myself, where i removed the URL field froma published IE window. the problem is, you can not stop Orion popping out new windows at certain points in the product. i asked for that to be sorted too but again got no response..

i donlt think security is ont he radar yet for SW, but hopefully it will too as more enterprise customers come in, and MSP's

MarieB

Hi Mike--

I've emailed PM to let them know about this. They are really good about responding--you should hear something soon.

byrona

I have pointed this out and in speaking with Brandon @ SolarWinds he has confirmed that fixing this is on their ToDo list as a bug to fix; however, there is no ETA on this.

You can see my post regarding this HERE.

msab

The case number for this is: 234026

bshopp

This is on our radar for sure. Do you have account limitations setup for your different customers?

So that way even if customer A can guess the view ID for customer B, since they do not have account limitation rights to customer B's devices they will get a page which says you do not have permission to views these items.

msab

I do have account limitations set up for each customer. But if I change the view id to 1, I go from seeing 2 interfaces to seeing 500 cisco devices/nodes which is my whole DB.

Each customer has view 31 but when they log in the account limitations limits what interfaces they can see. I can show you in a net meeting if you want.

msab

Byron, your post was from 2009, - has it been on the radar since 2009?

m_roberts

Hi Mike,

This is something I have come across myself with our customers.

The way I deal with it is to use the alternate URL/querystring method:

test.abc.com/.../SummaryView.aspx

The page name is simply what you have called this page when creating it and I suggest you use %20 for the space character to avoid any browser issues.

This way unless the users know of the other page name titles (doubtful), they cant manipulate the ID to gain access to page displays you dont want them to.

Hope this helps