Report a security vulnerability in falcon dashboard to bypass register restriction through the function in register has been closed
testivy opened this issue · comments
Dear Author,
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below:
http://book.open-falcon.com/en_0_2/quick_install/frontend.html#dashboard-user-management
when we try to change the value of item "signup_disable" to "true" in the API configuration file "cfg.json" then reboot API for a purpose to restrict the register function meaning that this is only for "sign in" not for "sign up".
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:
Call the user added interface and add a new user (POST https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx
), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .
Vulnerability details
This problem mainly occurs in _dashboard/rrd/view/auth/auth.py_
@app.route("/auth/register", methods=["GET", "POST"])
def auth_register():
if request.method == "GET":
if g.user:
return redirect("/auth/login")
return render_template("auth/register.html", **locals())
if request.method == "POST":
ret = {"msg":""}
name = request.form.get("name", "").strip()
cnname = request.form.get("cnname", "").strip()
email = request.form.get("email", "").strip()
password = request.form.get("password", "")
repeat_password = request.form.get("repeat_password", "")
As we can see, the above if branches:
in if request.method == "GET" will judge the g.user otherwise redirect to "/auth/login" ,But when the request.method == "POST",the system will get request param to add a account by "name,cnname,email,password and repeat_password" to the backend. Under the certain circumstances,we can directly call the "auth/register" interface with post method to add a new user.
Loopholes Reproduce
1.curl -XPOST 'http://127.0.0.1:8081/auth/register' --data 'name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234'
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.
The response is as below:
{"msg":""}
2.View the console
Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.
Best Regards