Base solution for your next web application
Starts in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

What information is made available with a valid connection? #9589


User avatar
0
smry created
  • What is your product version? 9.0.1
  • What is your product type (Angular or MVC)? Angular
  • What is product framework type (.net framework or .net core)? .NET Core

We logged into a specific tenant with swaggerUI and we noticed we were able to access certain information from (TenantId) from another tenant knowing the tenants name For the specific example we found it was the very first method: /api/services/app/Account/IsTenantAvailable, using a known tenant the API was able to return state, TenantId, and server address

We were also able to query how many tenants were active on specific editions so a user could gain access to internal information

Has there been an audit conducted to identify how many tenant-to-tenant identifiable information concerns there may be? I was able to see penetration testing on the FAQ section, but that was geared more towards external/server access and not to items like tenant metadata being exposed


1 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @smry

    Unfortunately, we don't keep such an information but we hide information related to security about tenants. IsTenantAvailable is an endpoint which doesn't require authentication. If you have specific endpoints which concerns you, we can explain it for you.

    You can also check app services which doesn't have Authorize attribute.