I am working on a penetration test where Mattermost has been deployed, and it appears that the host is using an nginx proxy in conjunction with their single sign on portal.
However, at least one configuration/source code file is remotely accessible without SSO authentication, a file named main.740f5a0b92c00e72e2e1.js. Here is a couple of snippets from that file:
!function(e){function t(n){if(a[n])return a[n].exports;var r=a[n]={i:n,l:!1,exports:{}};return e[n].call(r.exports,r,r.exports,t),r.l=!0,r.exports}var n=window.webpackJsonp;window.webpackJsonp=function(t,a,o){for(var i,s,l=0,c=;l<t.length;l++)s=t[l],r[s]&&c.push(r[s][0]),r[s]=0;for(i in a)Object.prototype.hasOwnProperty.call(a,i)&&(e[i]=a[i]);for(n&&n(t,a,o);c.length;)c.shift()()};var a={},r={60:0};t.e=function(e){function n(){s.onerror=s.onload=null,clearTimeout(l);var t=r[e];0!==t&&(t&&t[1](new Error(“Loading chunk “+e+” failed.”)),r[e]=void 0)}var a=r[e];if(0===a)return new Promise(function(e){e()});if(a)return a[2];var o=new Promise(function(t,n){a=r[e]=[t,n]});a[2]=o;var i=document.getElementsByTagName(“head”)
…
{key:“getTeamNameRoute”,value:function(e){return this.getTeamsRoute()+“/name/”+e}},{key:“getTeamMembersRoute”,value:function(e){return this.getTeamRoute(e)+“/members”}},{key:“getTeamMemberRoute”,value:function(e,t){return this.getTeamMembersRoute(e)+“/”+t}},{key:“getChannelsRoute”,value:function(){return this.getBaseRoute()+“/channels”}},{key:“getChannelRoute”,value:function(e){return this.getChannelsRoute()+“/”+e}},{key:“getChannelMembersRoute”,value:function(e){return this.getChannelRoute(e)+“/members”}},{key:“getChannelMemberRoute”,value:function(e,t){return this.getChannelMembersRoute(e)+“/”+t}},{key:“getPostsRoute”,value:function(){return this.getBaseRoute()+“/posts”}},{key:“getPostRoute”,value:function(e){return this.getPostsRoute()+“/”+e}},{key:“getReactionsRoute”,value:function(){return this.getBaseRoute()+“/reactions”}},{key:“getCommandsRoute”,value:function(){return this.getBaseRoute()+“/commands”}},{key:“getFilesRoute”,value:function(){return this.getBaseRoute()+“/files”}},{key:“getFileRoute”,value:function(e){return this.getFilesRoute()+“/”+e}},{key:“getPreferencesRoute”,value:function(e){return this.getUserRoute(e)+“/preferences”}},
Should this file be remotely accessible in a SSO environment? The admins for Mattermost at this company claim that this file needs to be public to support the login process, but this seems to be a violation of their SSO requirement. Or in other words, I don’t think anything related to Mattermost should be remotely accessible without the user going through the SSO auth process first.
Any ideas?