Skip to content

Error listing clients as normal user

Hi! First of all, thanks for this awesome project!

Bug summary

I'm having a problem with the latest version of bui. I created a new user without admin/moderator privileges and tried to login with him. After that, in the "Clients" screen, an error shows up.

Burp

$ burp -V
burp-2.3.16

Sysinfo

$ bui-manage -c /<dir>/etc/burp-ui.cnf sysinfo
Python version:      3.6.3
Burp-UI version:     0.7.0.dev0 (c6a74ecbb9ecc40b2aba5e230c8ed0a867de0019)
OS:                  Linux:3.10.0-957.27.2.el7.x86_64 (posix)
Distribution:        centos 7.7.1908 Core
Single mode:         True
Backend:             burp2
WebSocket embedded:  False
WebSocket available: False
Config file:         /<dir>/etc/burp-ui.cnf

Steps to reproduce

  1. Create a user without privileges
  2. Go to the login page
  3. Try to authenticate with the created user
  4. Go to the "Clients" screen
  5. The error will show up in screen (if in debug mode) and in the bui log.

logs

<MY IP> - - [13/Jan/2020 11:47:34] "GET /api/clients/backup-running?_session=b8b0dc8e-6e8d-4385-aad0-98f42114424b&_extra=1578926852 HTTP/1.1" 500 -
Traceback (most recent call last):
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 2463, in __call__
    return self.wsgi_app(environ, start_response)
  File "/<dir>/burp-ui/burpui/utils.py", line 250, in __call__
    return self.wsgi_app(environ, start_response)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 2449, in wsgi_app
    response = self.handle_exception(e)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/api.py", line 584, in error_router
    return original_handler(e)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1866, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/_compat.py", line 38, in reraise
    raise value.with_traceback(tb)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 2446, in wsgi_app
    response = self.full_dispatch_request()
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1951, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/api.py", line 584, in error_router
    return original_handler(e)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1820, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/_compat.py", line 38, in reraise
    raise value.with_traceback(tb)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1949, in full_dispatch_request
    rv = self.dispatch_request()
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/app.py", line 1935, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/<dir>/burp-ui/burpui/api/__init__.py", line 74, in decorated_view
    return func(*args, **kwargs)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/api.py", line 325, in wrapper
    resp = resource(*args, **kwargs)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask/views.py", line 89, in view
    return self.dispatch_request(*args, **kwargs)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/resource.py", line 44, in dispatch_request
    resp = meth(*args, **kwargs)
  File "/<dir>/burp-ui/venv/lib/python3.6/site-packages/flask_restplus/marshalling.py", line 243, in wrapper
    resp = f(*args, **kwargs)
  File "/<dir>/burp-ui/burpui/api/clients.py", line 165, in get
    server
  File "/<dir>/burp-ui/burpui/api/clients.py", line 188, in _is_one_backup_running
    allowed = [x for x in clients if mask.is_client_allowed(current_user, x, server)]
  File "/<dir>/burp-ui/burpui/api/clients.py", line 188, in <listcomp>
    allowed = [x for x in clients if mask.is_client_allowed(current_user, x, server)]
  File "/<dir>/burp-ui/burpui/filter.py", line 62, in is_client_allowed
    return current_user.acl.is_client_allowed(client, server)
  File "/<dir>/burp-ui/burpui/misc/auth/handler.py", line 144, in __call__
    return func(**encoded_args)
  File "/<dir>/burp-ui/burpui/misc/acl/handler.py", line 162, in is_client_allowed
    server
  File "/<dir>/burp-ui/burpui/misc/acl/handler.py", line 124, in _iterate_through_loader
    ret = func(*args, **kwargs)
  File "/<dir>/burp-ui/burpui/misc/acl/meta.py", line 598, in is_client_allowed
    order = _extract_key(adv, 'order', None, DEFAULT_EVAL_ORDER)
UnboundLocalError: local variable 'adv' referenced before assignment

Configuration

[Global]
backend = burp2
auth = basic
acl = basic
audit = basic
plugins = none

[UI]
refresh = 180
liverefresh = 5
ignore_labels = color:.*, custom:.*
format_labels = s/^os:\s*//
default_strip = 0

[Production]
storage = redis
session = redis
cache = redis
redis = 127.0.0.1:6379
celery = false
database = sqlite:////<dir>/burpui.db
limiter = false
ratio = 60/minute
prefix = none
num_proxies = 0
proxy_fix_args = "{'x_for': {num_proxies}, 'x_host': {num_proxies}, 'x_prefix': {num_proxies}}"

[WebSocket]
enabled = false
embedded = false
broker = redis
url = none
debug = false

[Security]
includes = /<dir>/etc
enforce = false
revoke = true
cookietime = 14
sessiontime = 5
scookie = true
appsecret = random

[Experimental]
zip64 = true
noserverrestore = false

[Burp]
burpbin = /<dir>/sbin/burp
stripbin = /<dir>/bin/vss_strip
bconfcli = /<dir>/etc/burp.conf
bconfsrv = /<dir>/etc/burp-server.conf
tmpdir = /tmp/bui
timeout = 15
deep_inspection = false

[Parallel]
host = ::1
port = 11111
timeout = 15
password = password123456
ssl = true
concurrency = 2
init_wait = 15

[BASIC:AUDIT]
priority = 100
level = WARNING
logfile = none
max_bytes = 30 * 1024 * 1024
rotate = 5

[BASIC:AUTH]
pedro.domingues@harpo.com.br = <hash>
teste@harpo.com.br = <hash>
teste = <hash> # THIS USER DON'T HAVE AN ACL
[BASIC:ACL]
pedro.domingues@harpo.com.br = ""
admin = admin, pedro.domingues@harpo.com.br
+moderator = pedro.domingues@harpo.com.br,
teste@harpo.com.br = {} # I'VE TRIED TO CREATE AN USER WITH EMPTY ACL, BUT WITHOUT SUCCESS

Thanks!

Edited by Pedro Luiz Domingues