Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Risk: If URL is not found in the database, KeePassHTTPKit will fallback to unexpected results #54

Closed
zsxsoft opened this issue Aug 23, 2018 · 1 comment
Closed

Security Risk: If URL is not found in the database, KeePassHTTPKit will fallback to unexpected results #54

zsxsoft opened this issue Aug 23, 2018 · 1 comment

Comments

@zsxsoft
Copy link

zsxsoft commented Aug 23, 2018

Hi:
I'm using MacPass with MacPassHTTP. I found it will return almost all passwords from the database when I navigated to some new sites as the following screenshot.

image

I tried to debug it, and I finally found that there is a problem with its fallback.
https://github.com/MacPass/KeePassHTTPKit/blob/0817abfb83a09308fd2d5c637e84237bb6c3280d/KeePassHTTPKit/Handlers/KPHHandler.m#L112

image

The fallback route is www.iqiyi.com -> iqiyi.com, then if iqiyi.com not exists in the database, it will finally fallback to com. However, fallback to the root domain is really not a good idea.

I created a pull request to fix this fallback as KeePassHttp did.
@zsxsoft zsxsoft mentioned this issue Aug 23, 2018
Merged
@zsxsoft
Copy link
Author

zsxsoft commented Aug 23, 2018

#30

mstarke pushed a commit to MacPass/KeePassHTTPKit that referenced this issue Aug 25, 2018
@zsxsoft
Prevent URL falling back to the root domain
6d3f6bf 
see: MacPass/MacPassHTTP#54
@zsxsoft zsxsoft closed this as completed Aug 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zsxsoft