Database Management System Misconfiguration Allowing Policy Bypass
InfoSummary
Discovered an exposed GeoServer Web Feature Service (WFS) endpoint on a NASA GLOBE development environment that allowed unauthenticated bulk data downloads. The endpoint bypassed rate limiting and data access controls enforced by the official public data portal, enabling download of large internal datasets without going through the program’s designated request channels.
Vulnerability Description
A GeoServer WFS endpoint was accessible on a development subdomain with minimal access controls. By issuing a standard GetFeature request against an internal view, a user could download the entire dataset without authentication, throttling, or pagination limits.
The NASA GLOBE program explicitly states that users requesting datasets larger than the public portal’s capacity should contact the GLOBE Implementation Office via help@nasaglobe.org. This endpoint completely bypassed that policy, allowing direct bulk export of internal data.
Affected Endpoint:
GET https://[dev-subdomain].globe.gov/geoserver/ows
Root Cause: Missing ownership validation in the controller layer before querying the database.
Steps to Reproduce
- Send a WFS
GetFeaturerequest to the exposed GeoServer endpoint: curl “https://[dev-subdomain].globe.gov/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=cite:[internal_view]” -o output.xml - The response returns the full dataset (~136 MB) as XML with no pagination or throttling.
- The output contains tens of thousands of records from an internal database view.
Proof of Concept
Impact
Severity Justification - INFO (P5):
- ✅ Data Exposure: Internal dataset (~136 MB, tens of thousands of records) downloadable without authentication
- ✅ Policy Bypass: Circumvents official data request workflow (help@nasaglobe.org)
- ✅ DoS Potential: Repeated bulk requests could consume significant server resources (CPU, bandwidth, database connections)
- ❌ No Direct PII: Dataset contains identifiers rather than personally identifiable information
- ❌ No Write Access: Read-only exposure via WFS
CVSS v3.1 Score: 5.3 (Medium)
- Vector: CVSS:3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Business Impact:
- Reputational damage if internal data is publicly scraped
- Potential for competitive intelligence or offline analysis of program structure
- Service degradation or outage from sustained bulk download requests
Remediation Recommendations
Immediate Fix
- Restrict the GeoServer WFS endpoint to internal network access or require authentication
- Implement rate limiting and query-size caps on WFS GetFeature requests
Long-term Improvements
- Audit all GeoServer layer visibility settings; disable unnecessary public-facing layers
- Implement WFS-T (Transaction) access controls to limit read/write scope
- Add pagination limits to prevent single-request bulk downloads
Timeline
| Date | Action | Status |
|---|---|---|
| Aug 13, 2025 | Created Sumbmission | Submitted |
| ————– | ————————— | ———— |
| Aug 14, 2025 | Bugcrowd Confirmed | Acknowledged |
| ————– | ————————— | ———— |
| Aug 14, 2025 | Bugcrowd Rated P5 | Accepted |
| ————– | ————————— | ———— |
Lessons Learned
Report responsibly disclosed through Bugcrowd’s VDP program.