You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dear Author,
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below: http://book.open-falcon.com/en_0_2/quick_install/frontend.html#dashboard-user-management
when we try to change the value of item "signup_disable" to "true" in the API configuration file "cfg.json" then reboot API for a purpose to restrict the register function meaning that this is only for "sign in" not for "sign up".
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:
Call the user added interface and add a new user (POST https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .
Vulnerability details
This problem mainly occurs in _dashboard/rrd/view/auth/auth.py_
@app.route("/auth/register", methods=["GET", "POST"])
def auth_register():
if request.method == "GET":
if g.user:
return redirect("/auth/login")
return render_template("auth/register.html", **locals())
if request.method == "POST":
ret = {"msg":""}
name = request.form.get("name", "").strip()
cnname = request.form.get("cnname", "").strip()
email = request.form.get("email", "").strip()
password = request.form.get("password", "")
repeat_password = request.form.get("repeat_password", "")
As we can see, the above if branches:
in if request.method == "GET" will judge the g.user otherwise redirect to "/auth/login" ,But when the request.method == "POST",the system will get request param to add a account by "name,cnname,email,password and repeat_password" to the backend. Under the certain circumstances,we can directly call the "auth/register" interface with post method to add a new user.
Loopholes Reproduce
1.curl -XPOST 'http://127.0.0.1:8081/auth/register' --data 'name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234'
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.
The response is as below:
{"msg":""}
2.View the console
Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.
Best Regards
The text was updated successfully, but these errors were encountered:
Dear Author,
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below:
http://book.open-falcon.com/en_0_2/quick_install/frontend.html#dashboard-user-management
when we try to change the value of item "signup_disable" to "true" in the API configuration file "cfg.json" then reboot API for a purpose to restrict the register function meaning that this is only for "sign in" not for "sign up".
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:
Call the user added interface and add a new user (POST
https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx
), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .Vulnerability details
This problem mainly occurs in
_dashboard/rrd/view/auth/auth.py_
As we can see, the above if branches:
in if request.method == "GET" will judge the g.user otherwise redirect to "/auth/login" ,But when the request.method == "POST",the system will get request param to add a account by "name,cnname,email,password and repeat_password" to the backend. Under the certain circumstances,we can directly call the "auth/register" interface with post method to add a new user.
Loopholes Reproduce
1.
curl -XPOST 'http://127.0.0.1:8081/auth/register' --data 'name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234'
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.
The response is as below:
{
"msg":""}
2.View the console
Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.
Best Regards
The text was updated successfully, but these errors were encountered: