Many of the files included in Teampass are available without authentication to anyone who can interact with the web server. While this may not be an issue for some of the images or Javascript files, it is an issue for the user-uploaded files that are available without authentication.
These include:
upload dir - all file uploads (encrypted)
avatars dir - all profile pictures
backups dir - (presumably) Teampass backups
Note that accessing the scripts here can also trigger the backups to run
files dir
PDFs generated via admin functions are saved here
many files under the “includes” directory
miscellaneous files under web root (license.md, changelog.txt, Dockerfile, etc)
Additionally, it does not appear that Teampass checks to see if directory listing is turned on on the web server. This feature is frequently on by default and when left on, makes it easy to discover the hashed file names that are sometimes used.
Steps to reproduce
Use a simple curl request to retrieve one of the files I noted above. EG: curl http://<your teampass instance>/teampass/files/ldap.debug.txt
Steps to fix
Review what files and directories should be exposed without authentication
Ensure that only authenticated users can attempt to access files in sensitive directories (upload, backups, files, etc)
Ensure that only authorized users can actually retrieve files in sensitive directories
Server configuration
Teampass version:
2.1.27.36
The text was updated successfully, but these errors were encountered:
Many of the files included in Teampass are available without authentication to anyone who can interact with the web server. While this may not be an issue for some of the images or Javascript files, it is an issue for the user-uploaded files that are available without authentication.
These include:
Additionally, it does not appear that Teampass checks to see if directory listing is turned on on the web server. This feature is frequently on by default and when left on, makes it easy to discover the hashed file names that are sometimes used.
Steps to reproduce
Use a simple curl request to retrieve one of the files I noted above. EG:
curl http://<your teampass instance>/teampass/files/ldap.debug.txtSteps to fix
Server configuration
Teampass version:
2.1.27.36
The text was updated successfully, but these errors were encountered: