0

I know of a TFS 2010 server which i can connect to just by creating a TfsConfigurationServer, without setting any credentials.

TfsConfigurationServer configurationServer = new TfsConfigurationServer(new Uri("address"))

After connecting, I am able to retrieve all the team project collection and corresponding team projects. Isn't this a security vulnerability? I am not sure as I am new to TFS api.

Will every TFS server allow to list the team projects like this? If this is a vulnerability how to fix it?

dbc
  • 104,963
  • 20
  • 228
  • 340
Sat
  • 161
  • 1
  • 2
  • 8
  • Does your user account have access to login to the TFS server? – Ryan Riehle Jul 31 '12 at 19:12
  • thx for your reply. I am not using any account. 1) I am trying this remotely from my computer over internet 2)my computer is not even in iplc or a vpn.3) i dont even have a login id/password for my computer. Any idea how this is possible?thx – Sat Aug 01 '12 at 04:56
  • How do you not have a login id for your computer. Is that even possible? You must be logged in as *someone*... I mean, Windows comes in with a built-in guest account, but I doubt those are your client credentials. You could turn on tracing on your server to see what is happening at the server side. – Ryan Riehle Aug 01 '12 at 14:53
  • @RyanRiehle: What i meant was i dont have a login password for my computer. also i dont have access to the server – Sat Aug 02 '12 at 05:42
  • credentials were in my windows vault as stated by Edward. thx for your replies! – Sat Aug 02 '12 at 05:52

1 Answers1

2

It's probably not that you're not using any credentials, it's that you're not explicitly specifying any credentials. In this case, your logged-in user credentials will be used and you will be logged in without needing to type your username and password.

One of three things is probably happening:

  1. You are logged in to your workstation as a domain user. The TFS server you're connecting to is joined to a domain with a trust relationship to the domain that you're logged in to. Your domain user has appropriate permissions to connect and query the list of team project collections.

  2. There is no trust relationship between your computer and the TFS server, but you have an identical username/password configuration on your workstation on the server. (Ie, you're using "shadow accounts" or "mirrored local accounts".) Your user on the TFS server has appropriate permissions to connect and query the list of team project collections.

  3. You have credentials saved for this host in Windows Credential Manager. Those credentials have appropriate permissions to connect and query the list of team project collections.

If one of these two things is not true, you would instead need to provide explicit username/password credentials to an account that has permissions to connect and query the list of team project collections.

It may be possible to turn on anonymous access in IIS and allow guest users access to list the project collections in TFS, but I don't know of anybody having done this. I've never tested this scenario myself.

In any case, if you're looking at a server that has this functionality enabled, it is indeed not the norm.

Edward Thomson
  • 74,857
  • 14
  • 158
  • 187
  • thx for your reply. But neither situation stated by you is happenning – Sat Aug 01 '12 at 03:41
  • @Sat: Could you expound upon that? – Edward Thomson Aug 01 '12 at 03:42
  • sorry i hit enter before typing fully.1) I am trying this remotely from my computer over internet 2)my computer is not even iplc or a vpn.3) i dont even have a login id/password for my computer. Any idea how this is possible? – Sat Aug 01 '12 at 03:53
  • @Sat: I added another possibility for where your credentials may be coming from. I suppose it is possible that the server you're looking at has anonymous access enabled, but frankly, I'm not even certain that's possible. But if it is, that setup is definitely *not* the norm. Who set this server up? Is it yours? Your company's? School's? Etc. – Edward Thomson Aug 01 '12 at 13:24
  • yes its my company's server. by the way the tfs service is running in a port other than 8080. I am able to telnet to the port without credentials. Might this be the reason? dont know just guessing. what would you suggest to fix it?thx – Sat Aug 01 '12 at 13:56
  • Can you use netmon or wireshark to confirm that there are no credentials being sent? – Edward Thomson Aug 01 '12 at 14:50
  • sure... i just installed netmon in my pc. i see source, destination, description etc in the frame summary window. How to check whether any credentials are being sent? – Sat Aug 02 '12 at 05:35
  • yeah you were right... credentials were in my windows vault. after removing i was not able to connect to the server without credentials.thx – Sat Aug 02 '12 at 05:51