0x00-0x00
Repos
259
Followers
494
Following
13

Pop shells like a master.

1353
213

Pip install exploit package

144
49

PHPMyAdmin v4.8.0 and v.4.8.1 LFI exploit

10
6

CMS Made Simple 2.2.7 RCE exploit

A killer reverse-shell script that is able to use a lot of techniques to ensure your shell will pop back to you.

26
12

Telegram-based PowerShell Runspace Host

10
4

Events

Users added by SSO identity providers require AdminFullAccess privilege to login to the application

Describe the bug Users added and validated through SSO (Identity Provider - OpenID Connect) requires the privilege of AdminFullAccess to be able to login into Vectr.

To Reproduce Steps to reproduce the behavior:

  1. Configure an identity provider;

image

  1. Add at least one user to be authenticated by using the above mentioned provider;
  2. Create a group (e.g: SSO_Access) with all policies except AdminFullAccess and add above mentioned user to it;

image

image

image

  1. Try to login with this user, it will lead to this page, instead of home page.

image

  1. Now go back to the local administrator account, add the AdminFullAccess policy to the group;

image

  1. Logout and try to login with the SSO user, it will login to Vectr.

image

Expected behavior I think it is expected that SSO users might not need administrator privileges over the Vectr instance. In current state it seems to be a requirement.

Additional Context Vectr version: 8.4.3 (updated 04/08/2022) This was affecting me since 8.3.x and I thought 8.4.3 version would solve the issue, but unfortunately it does not. So I thought in posting this here so the team can maybe solve this, as this impacts severely in the usability of the identity provider feature.

Created at 2 weeks ago
Users added by SSO identity providers require AdminFullAccess privilege to login to the application

I have done a clean reinstall to the latest version of Vectr and SSO seems to be working. I wasnt able to determine what exactly caused the issue in the previous instance.

Created at 2 weeks ago
Users added by SSO identity providers require AdminFullAccess privilege to login to the application

Sure, i will be sending it right now

Created at 1 month ago
Users added by SSO identity providers require AdminFullAccess privilege to login to the application

Hello all,

  1. Which IDp are you using? Auth0 with Google integration (OIDC)

  2. Do you have any potential username collisions between local and SSO accounts? No, there isnt.

  3. Do you see anything in the container logs that show error? Yes. It starts to 403 out when queries the GoldStandard database.

Client side image

Server side image

It is possible to identify the three 403 requests in both screenshots. All previous requests are 302, 200 or 401 (but as Paul said, 4 01 is normal) which seems to be the normal flow...

Any suggestions?

Created at 1 month ago
Users added by SSO identity providers require AdminFullAccess privilege to login to the application

Yes! It is described in the first image but I did not write that down in the actual step by step, sorry about that.

Created at 1 month ago
Users added by SSO identity providers require AdminFullAccess privilege to login to the application

Sorry taking too much time to answer this, I was in a middle of something.

But regarding the problem, yes, they do have BasicAccess permission.

image

I have noted that your SSO connection is SAML2 and not OpenID connect, so maybe that's why your environment works and mine dont?

Do you guys at SRA have an instance with OpenID connect SSO properly configured?

Created at 1 month ago
Users added by SSO identity providers require AdminFullAccess privilege to login to the application

Describe the bug Users added and validated through SSO (Identity Provider - OpenID Connect) requires the privilege of AdminFullAccess to be able to login into Vectr.

To Reproduce Steps to reproduce the behavior:

  1. Configure an identity provider;

image

  1. Add at least one user to be authenticated by using the above mentioned provider;
  2. Create a group (e.g: SSO_Access) with all policies except AdminFullAccess and add above mentioned user to it;

image

image

image

  1. Try to login with this user, it will lead to this page, instead of home page.

image

  1. Now go back to the local administrator account, add the AdminFullAccess policy to the group;

image

  1. Logout and try to login with the SSO user, it will login to Vectr.

image

Expected behavior I think it is expected that SSO users might not need administrator privileges over the Vectr instance. In current state it seems to be a requirement.

Additional Context Vectr version: 8.4.3 (updated 04/08/2022) This was affecting me since 8.3.x and I thought 8.4.3 version would solve the issue, but unfortunately it does not. So I thought in posting this here so the team can maybe solve this, as this impacts severely in the usability of the identity provider feature.

Created at 1 month ago