Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-27523: Report a security vulnerability in falcon dashboard to bypass register restriction through the function in register has been closed · Issue #153 · open-falcon/dashboard

An issue was discovered in open-falcon dashboard version 0.2.0, allows remote attackers to gain, modify, and delete sensitive information via crafted POST request to register interface.

CVE
Open in Source
#vulnerability#js#auth

Dear Author,
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below:
http://book.open-falcon.com/en_0_2/quick_install/frontend.html#dashboard-user-management
when we try to change the value of item “signup_disable” to “true” in the API configuration file “cfg.json” then reboot API for a purpose to restrict the register function meaning that this is only for “sign in” not for "sign up".
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:
Call the user added interface and add a new user (POST https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .

Vulnerability details
This problem mainly occurs in dashboard/rrd/view/auth/auth.py

@app.route("/auth/register", methods=["GET", "POST"])
def auth_register():
    if request.method == "GET":
        if g.user:
            return redirect("/auth/login")
        return render_template("auth/register.html", **locals())

    if request.method == "POST":
        ret = {"msg":""}

        name = request.form.get("name", "").strip()
        cnname = request.form.get("cnname", "").strip()
        email = request.form.get("email", "").strip()
        password = request.form.get("password", "")
        repeat_password = request.form.get("repeat_password", "")

As we can see, the above if branches:
in if request.method == “GET” will judge the g.user otherwise redirect to “/auth/login” ,But when the request.method == "POST",the system will get request param to add a account by “name,cnname,email,password and repeat_password” to the backend. Under the certain circumstances,we can directly call the “auth/register” interface with post method to add a new user.

Loopholes Reproduce
1.curl -XPOST ‘http://127.0.0.1:8081/auth/register’ --data ‘name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234’
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.
The response is as below:
{"msg":""}
2.View the console

Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.

Best Regards

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE