Unauthenticated access to client web page

Post Reply
chrisrenault
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 28, 2019 7:40 pm

Unauthenticated access to client web page

Post by chrisrenault » Mon Jan 28, 2019 7:48 pm

Hi,

I'm testing OpenVPN Access Server and found that I can browse to a unauthenticated page:

https://[server IP address]:1543/html/downloads.html?v=1400015421

There's no direct result for the directory browsing, no commands issued or privilege escalation, but it seems to be a flaw.

There's any switches or configuration files in order to prevent this behaviour ?

Thanks in advance.

novaflash
I should be on the dev team.
Posts: 950
Joined: Fri Apr 13, 2012 8:43 pm

Re: Unauthenticated access to client web page

Post by novaflash » Mon Jan 28, 2019 7:55 pm

I cannot replicate this here. Are you _SURE_ you are getting this result from the OpenVPN Access Server itself, and not some other service running on that port?

chrisrenault
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 28, 2019 7:40 pm

Re: Unauthenticated access to client web page

Post by chrisrenault » Tue Jan 29, 2019 10:06 pm

Got only OpenVPN AS running on the server and the "flaw" is intermittent.

Here is a screenshot: https://imgur.com/a/9PzIOEY

novaflash
I should be on the dev team.
Posts: 950
Joined: Fri Apr 13, 2012 8:43 pm

Re: Unauthenticated access to client web page

Post by novaflash » Fri Feb 08, 2019 12:45 pm

Can't seem to reproduce this on any of my access servers. I also don't recognize that URL, it's not even a URL we use in access server.

I suggest you open a support ticket on the openvpn.net website and submit these details and what you've done exactly, and we can then have a closer look at it.

Post Reply