New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security flaw in default configuration of webui #764
Comments
|
@martinzhou2015 Is there a good way to get started with open5gs without adding a default user? |
|
@acetcom A few options: Could we add a config file for the WebUI to allow access only to predefined subnets? We could add the local subnet to the config file during the install, and if a user wanted to open it up to more subnets they could change the config file themselves?
I could potentially add the forced password change on first login functionality if you think that's the best path? |
|
The bind on 0.0.0.0 is a consequence of #587 |
|
Hi, all Here is my idea. Running with However, installing in production mode will not use the current code. The admin user will be added automatically during the installation phase. Let me know if you have different idea. Thanks a lot! |
|
i think personally its already fine like it was. |
I think it's better to: To secure a system, under no circumstance, a default weak password should be assigned automatically. |
|
Hi, this issue was assigned with CVE-2021-25863. |
|
I forgot this problem. I'll get back to you here when it's modified. Thank you for reminding me. |
- In developement mode, if there is no default admin account, Node.js server WILL create admin/1423 account. - In production mode, even though there is no default admin account, Node.js server WILL NOT create admin/1423 account. 1. WebUI installation script will create default admin account if there is no account. $ curl -fsSL https://open5gs.org/open5gs/assets/webui/install | sudo -E bash - 2. Installation script will automatically uninstall WebUI if WebUI has already been installed.
|
I've fixed this issues as described below.
I've also improved the WebUI installation script as follows:
It will be applied to the v2.2.8 package in the near future. Let me know if you have any further questions. Thanks a lot! |
|
This issue has been closed automatically due to lack of activity. This has been done to try and reduce the amount of noise. Please do not comment any further. The Open5GS Team may choose to re-open this issue if necessary. |
Details
The configuration of
webuimight result in the control panel being taken over by arbitrary user via default username and password.The lines of code below indicate that, if not specified, the server will listen on
0.0.0.0:3000, which means the control panel could be accessed via WAN.On
Line 38, the code will create a default accountadmin / 1423, if there isn't any account specified in MongoDB.Proof of Concept
After doing a query via Zoomeye, a search engine that lets the user find specific types of computers connected to the internet using a variety of filters, several vulnerable cases have been found:
Suggestion
The default account should never be assigned automatically.
The text was updated successfully, but these errors were encountered: