Information Disclosure via url tampering

Report details

• Submitted

  15 Jan 2022 19:22:11 UTC

• Target Location

  *.doi.gov

• Target category

  Web App

• VRT

  Sensitive Data Exposure > Disclosure of Known Public Information

• Priority

  P5

• Bug URL

  https://pm.doi.gov/dana-na/auth/url_c8x42cdx6wWwu0xF/welcome.cgi?p=help

• Description

  While doing some security research I stumbled upon some information via manual url tampering. This information MAY be public knowledge which is why I submitted this as informational.

  After researching it appears that this is a function of Pulse Connect Secure as it allows the creation of a custom help page. But since there doesn't appear to be any "help" links on the login page I'm not sure if this function needs to be enabled, so I figured it would be a good idea to report it. Mainly because it seems to give away the username format, links to what appear to be vpns, as well as the direct e-mail of who to contact if there was an issue logging in. This information may be of use for bad actors.

  To reproduce the issue just visit the link https://pm.doi.gov/dana-na/auth/url_c8x42cdx6wWwu0xF/welcome.cgi?p=help

  or use the following

  1) From the main page hover over about and then click employees
  

  2) On the login screen click "change password"
  

  3) Change the url p=no_cert to p=help and press enter
  

  4) The help page is displayed with possible sensitive information not sure if this is public information so I'll leave that to you to further qualify

  

  Remediation: recommend that custom help pages in Pulse Connect Secure be turned off in or modified if this information is not for public consumption.