#auth

### Summary An Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an unauthenticated attacker to access guest address information without supplying valid credentials or session cookies. ### Details During testing, it was observed that all guest users can make an unauthenticated request to retrieve address data belonging to other guest users by manipulating object identifiers. The attacker would need to know the storefront URL structure to perform this attack (which can be learnt after creating a registered user account). Affected Component(s) * Address Edit endpoint: `/addresses/{addressId}/edit` Root Cause - Faulty authorization check in CanCanCan Ability class: ```diff - can :manage, ::Spree::Address, user_id: user.id + can :manage, ::Spree::Address, user_id: user.id if user.persisted? ``` the `user` object in `Spree::Ability` class for guest users is a `Spree.user_class.new` object. Addresses endpoint to access it is part of the `...

### Summary An Authenticated Insecure Direct Object Reference (IDOR) vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request, the backend server accepts and processes references to addresses belonging to other users, subsequently associating those addresses with the attacker’s order and returning them in the response. ### Details Affected Component(s) - Authenticated user order management - Address association logic - Order update endpoint(s) Affected Endpoint(s): - `/api/v2/storefront/checkout` The application fails to enforce proper object-level authorization when updating an existing order. While the user is authenticated and authorized to modify their own order, the backend does not verify that the supplied address identifiers belong to the same authenticated user. ### PoC Preconditions - Valid authentic...

### Summary Since 2017, the default webpack plugins have passed the entire `process.env` to `EnvironmentPlugin`. This pattern exposed ALL build environment variables to client-side JavaScript bundles whenever application code (or any dependency) referenced `process.env.VARIABLE_NAME`. This is not a regression - the vulnerable code has existed since the original Webpacker implementation. No recent code change in Shakapacker triggered this issue. ### Impact Any environment variable in the build environment that is referenced in client-side code (including third-party dependencies) is embedded directly into the JavaScript bundle. This includes: - `DATABASE_URL` - Database credentials - `AWS_SECRET_ACCESS_KEY` - AWS credentials - `RAILS_MASTER_KEY` - Rails encrypted credentials key - `STRIPE_SECRET_KEY`, `TWILIO_AUTH_TOKEN` - Third-party API keys - Any other secrets present in the build environment **Severity**: Critical - secrets are exposed in publicly accessible JavaScript files...

Researchers at Acronis have discovered a new campaign called Boto Cor-de-Rosa, where the Astaroth banking malware spreads like a worm through WhatsApp Web to steal contact lists and banking credentials.

## LFS Lock Force-Delete Authorization Bypass ### Summary An authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the `force` flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. ### Severity - **CWE-863:** Incorrect Authorization - **CVSS 3.1:** 5.4 (Medium) — `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L` ### Affected Code **File:** `pkg/web/git_lfs.go` **Function:** `serviceLfsLocksDelete` (lines 831–945) **Endpoint:** `POST /<repo>.git/info/lfs/locks/:lockID/unlock` The control flow processes `req.Force` at line 905 before retrieving user context at line 919: ```go // Line 905-916: Force delete executes immediately without authorization if req.Force { if err := datastore.DeleteLFSLock(ctx, dbx, repo.ID(), lockID); err != nil { // ... } renderJSON(w, http.StatusOK, l) ...

## Summary A flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privileges. This enables privilege escalation and bypass of session/inline policy restrictions. ## Details **akin to MinIO CVE-2025-62506** - Policy evaluation: `Policy::is_allowed` returns true when `deny_only=true` if no explicit Deny is hit, skipping all Allow checks (`crates/policy/src/policy/policy.rs:66-74`). - Service account creation path sets `deny_only=true` when the target user equals the caller or its parent (`rustfs/src/admin/handlers/service_account.rs:114-127`). - Service accounts are created without `session_policy` by default, so claims lack `SESSION_POLICY_NAME`; combined with `deny_only`, self-operations are allowed without Allow statements. - Result: a limited service account/STS can create a new service account without policy and obtain the parent’s full rights (even root), ...

### Summary The `ImportIam` admin API validates permissions using **`ExportIAMAction`** instead of **`ImportIAMAction`**, allowing a principal with *export-only* IAM permissions to perform *import* operations. Since importing IAM data performs privileged **write** actions (creating/updating users, groups, policies, and service accounts), this can lead to **unauthorized IAM modification and privilege escalation**. --- ### Details In `ImportIam`, the authorization check is implemented as follows: ```rust validate_admin_request( &req.headers, &cred, owner, false, vec![Action::AdminAction(AdminAction::ExportIAMAction)], ).await?; ``` However, this code resides in the **Import IAM** operation (`struct ImportIam {}`), which performs **state-changing IAM writes**. The expected behavior is to validate against **`AdminAction::ImportIAMAction`** (or an equivalent import-specific admin action), not `ExportIAMAction`. --- ### PoC **Prerequisites** 1. A RustFS deploym...

### TL;DR This vulnerability affects all Kirby sites where user permissions are configured to prevent specific role(s) from performing write actions, specifically by disabling the `update` permission with the intent to prevent modifications to site content. If developers haven't configured any user permissions that deviate from the default of allowing all actions, their site is *not* affected. ---- ### Introduction Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for updating content have already existed and could be configured for each model type, but were not enforced by Kirby's API backend code during operations to the changes version. The changes version is the content version that contains unsaved changes of existing models (pages, users, files or the site). ### Impact The missing permission checks allowed attackers with Panel access to create or discard a changes version or update the cont...

### Summary An unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. **NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality.** ### Details When a client disconnects, tab_id is cleared at https://github.com/zauberzeug/nicegui/blob/main/nicegui/client.py#L307 before delete() is called at https://github.com/zauberzeug/nicegui/blob/main/nicegui/client.py#L319. By then tab_id is None, so there's no way to find the RedisPersistentDict and call https://github.com/zauberzeug/nicegui/blob/main/nicegui/persistence/redis_persistent_dict.py#L92. Each tab creates a RedisPersistentDict with a Redis client connection and a pubsub subscription. These are never closed, accumulating until Redis maxclients is reached. ### PoC #### Test ...

Multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limits, or message size constraints. ### Impact #### 1. Missing connection and stream limits (gRPC / HTTPS / HTTP3) The affected servers do not enforce reasonable upper bounds on concurrent connections or active streams. An attacker can: - Open many parallel connections - Rapidly issue requests without limit - Consume memory until the CoreDNS process becomes unresponsive or is terminated by the OOM killer Testing demonstrates that modest resource configurations (e.g., 256 MB RAM) can be exhausted quickly. Increasing concurrency parameters in the PoCs allows attackers...