Giters

open-falcon / dashboard

falcon-plus frontend

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Report a security vulnerability in falcon dashboard to bypass register restriction through the function in register has been closed

testivy opened this issue · comments

commented

Dear Author,
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below:
http://book.open-falcon.com/en_0_2/quick_install/frontend.html#dashboard-user-management
when we try to change the value of item "signup_disable" to "true" in the API configuration file "cfg.json" then reboot API for a purpose to restrict the register function meaning that this is only for "sign in" not for "sign up".
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:
Call the user added interface and add a new user (POST https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .

Vulnerability details
This problem mainly occurs in _dashboard/rrd/view/auth/auth.py_

@app.route("/auth/register", methods=["GET", "POST"])
def auth_register():
    if request.method == "GET":
        if g.user:
            return redirect("/auth/login")
        return render_template("auth/register.html", **locals())

    if request.method == "POST":
        ret = {"msg":""}

        name = request.form.get("name", "").strip()
        cnname = request.form.get("cnname", "").strip()
        email = request.form.get("email", "").strip()
        password = request.form.get("password", "")
        repeat_password = request.form.get("repeat_password", "")

As we can see, the above if branches:
in if request.method == "GET" will judge the g.user otherwise redirect to "/auth/login" ,But when the request.method == "POST",the system will get request param to add a account by "name,cnname,email,password and repeat_password" to the backend. Under the certain circumstances,we can directly call the "auth/register" interface with post method to add a new user.

Loopholes Reproduce
1.curl -XPOST 'http://127.0.0.1:8081/auth/register' --data 'name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234'
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.
The response is as below:
{"msg":""}
2.View the console
image

Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.

Best Regards