|
51 | Multiple Free Public Cloud accounts obtained by a singl ... | Closed | 25.04.2024 |
Task Description
Description
Alwaysdata allows users to create a Free Public Cloud (100MB) account. Each user is limited to having only one Free Public Cloud (100MB account. However, I discovered that a user can bypass this restriction and obtain multiple Free Public Cloud (100MB) accounts by asking other users to create a new free account and then transfer ownership of that account to them.
Reproduction Steps
1. User A creates a new Free Public Cloud (100MB) storage account 2. User B creates a new Free Public Cloud (100MB)storage account 3. User B transfers ownership of their account to User A through: https://admin.alwaysdata.com/admin/account/ 4. User A now has two Free Public Cloud (100MB)storage accounts (their original account and the one transferred from User B) 5. This process can be repeated with same user B for unlimited times to accumulate unlimited no of free accounts.
Impact
By exploiting account ownership transfers, a user can essentially obtain unlimited free storage, potentially leading to loss for alwaysdata
Recommendation
Implement additional checks and restrictions to prevent users from obtaining multiple free accounts through ownership transfers. Possible mitigations could include:
1. Limiting the number of free accounts a user can own, regardless of the acquisition method (creation or transfer). 2. Disallowing ownership transfers for free accounts or requiring explicit approval from the service provider. 3. Automatically consolidating multiple free accounts under the same user into a single account, preserving the total storage limit.
Proof of Concept:
|
|
50 | *Title:* Two-Factor Authentication Bypass via Support T ... | Closed | 24.04.2024 |
Task Description
*Title:* Two-Factor Authentication Bypass via Support Ticket Creation in [admin.alwaysdata.com]
*Summary:* A critical security vulnerability has been identified in the [admin.alwaysdata.com]'s account management system where a user with administrative privileges but mandated to use two-factor authentication (2FA) can bypass this requirement by initiating a support ticket under the name of the primary account holder without triggering 2FA.
*Description:* This vulnerability allows an added user, who is supposed to be restricted by 2FA, to perform actions appearing as the primary account holder by submitting support tickets. This circumvents the security protocol intended to protect sensitive account operations via 2FA, potentially leading to unauthorized actions without the account holder's consent or knowledge.
*Steps to Reproduce:* 1. Create two user accounts, Account A (primary) and Account B. 2. From Account A, add Account B as another user with full administrative privileges but enforce 2FA on actions. 3. Log into Account B. 4. Navigate to the support section and initiate a support ticket, selecting Account A as the affected account. 5. Submit the ticket without being prompted for 2FA verification.
I sent a proof of concept : https://admin.alwaysdata.com/support/77431/367474-VID-20240423-WA0000.mp4
*Impact:* The primary account holder's security is compromised as the added user can perform sensitive operations under their guise without completing the necessary 2FA checks. This vulnerability may lead to unauthorized access and control over the primary account's sensitive functions and data.
|
|
49 | Vulnerability Report: Lack of Rate Limiting on Password ... | Closed | 24.04.2024 |
Task Description
The website does not implement rate limiting on password reset links, allowing an attacker to repeatedly request password reset links for any account. This could lead to account takeover through brute-force attacks.
Description When an attacker gains access to a target account's email address, they can repeatedly request password reset links without any rate limiting in place. This allows them to flood the target's email inbox with reset links, making it difficult for the legitimate user to identify and use the valid reset link. Additionally, the attacker can automate this process, increasing the efficiency of the attack.
Impact Account Takeover: Attackers can potentially take over user accounts by flooding their email inbox with reset links, making it easier to intercept a valid reset link and gain unauthorized access. User Disruption: The flood of reset links can disrupt the user's ability to use their email normally, causing inconvenience and potential confusion.
Recommendations Implement rate limiting on password reset requests to prevent brute-force attacks. Limit the number of password reset links that can be requested per minute per IP address or account. Implement CAPTCHA or other mechanisms to distinguish between automated and legitimate requests.
Steps to Reproduce 1- Go To This Link https://admin.alwaysdata.com/login/ Enter your Email Click On Forget Password 2- intercept burp and send request to intruder 3- make payload and start attack
Supporting Material/References
OWASP Password Reset Best Practices
Impact Account Takeover User Disruption
Proof of Concept N/A (Describe how you were able to successfully exploit the vulnerability.)
Remediation Implement rate limiting on password reset requests to prevent brute-force attacks. Limit the number of password reset links that can be requested per minute per IP address or account. Implement CAPTCHA or other mechanisms to distinguish between automated and legitimate requests.
Supporting Material/References OWASP Password Reset Best Practices
Impact Account Takeover User Disruption
Proof of Concept
SS ATTACHED
REQUEST** (BY USING BRUP SUITE)
POST /password/lost/ HTTP/2 Host: admin.alwaysdata.com Cookie: REACTED User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://admin.alwaysdata.com/password/lost/ Content-Type: application/x-www-form-urlencoded Content-Length: 116 Origin: https://admin.alwaysdata.com Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers
csrfmiddlewaretoken=8GNhIyHjyRaBHSlBRaaN9gMWKaksiJR3Py8S3TJoW8zb7tq5gU4JzRA1cMEp0VHl&email=alexdoppler29%40gmail.com
SS LINK - https://drive.google.com/file/d/1a0vqAOB6u6ayQSNX4ktQuUOWIAgNQjAR/view?usp=sharing
|
|
48 | Clickjacking (On-click) Vulnerability in Support Ticket ... | Closed | 24.04.2024 |
Task Description
*Title:* Clickjacking (On-click) Vulnerability in Support Ticket Attachment Deletion in [admin.alwaysdata.com]
*Summary:* The support ticket system of the web application is vulnerable to a clickjacking attack that allows an attacker to trick a user into deleting attachments from their support tickets unknowingly.
On-click Delete any attachment for users in support tickets Delete any attachment for users in technical support tickets
*Steps to Reproduce:* 1. Create a support ticket in the application. 2. Attach a file to the support ticket. 3. Obtain the direct link of the attachment and append the /delete/ command to the URL. 4. Create an HTML proof-of-concept file with the following content:
html
<a href="https://admin.alwaysdata.com/support/----/delete/----">click</a>
5. Host this HTML page or send it via link to the victim. 6. Once the victim clicks on the disguised link, the attachment is deleted without their explicit consent or knowledge.
An attacker can use his location and attach an html file instead of sending a file that the user clicks on.
*Impact:* The exploit enables unauthorized deletion of any attachment from user-created support tickets. This can result in loss of critical data and potential breach of information security, affecting data integrity and user trust.
This is in addition to this report as I explained in another way but I remembered now that the attacker had to delete any technical support ticket in the way I explained in this report link: https://security.alwaysdata.com/task/24
|
|
47 | information disclosure | Closed | 13.04.2024 |
Task Description
i found this detial in one of the git file on https://security.alwaysdata.com/.git/config
and this file contains 0000000000000000000000000000000000000000 58bea729f4359a45f69aaba274bb2a931155b427 Cyril Baÿ cbay@alwaysdata.com 1704809861 +0100 clone: from https://github.com/flyspray/flyspray.git
this information in the master named file which i think is sensitive as it disclosing the email address and other stuff also other files like config and packed-refs contain sensitive information , but its all on you to decide weather the information is sensitive or not contact me on my email bhavishthakral123@gmail.com
|
|
46 | Open Redirection Vulnerability | Closed | 13.04.2024 |
Task Description
Hi Team,
I hope this email finds you well. I am Ali Haider, a security researcher and a penetration tester. I have been a bug bounty hunter for almost 2 years now. I always enjoyed the challenge of finding vulnerabilities, as it always felt like a great achievement to find them. I wanted to bring to your attention a Open Redirection Vulnerability I encountered while using your website.
|
|
45 | Bug Title: Missing access control at password change. | Closed | 09.04.2024 |
Task Description
Hello Web Security Severity: Medium Domain: https://admin.alwaysdata.com
Description : A security researcher discovered that after resetting a password, the user was automatically logged in. As such, compromising a legitimate password reset link (via referrer token leakage or a similar issue) could lead to compromising the account since the user would not be forced to log in after resetting their password.
Proof Of Concept: 1.Go to this website:(https://admin.alwaysdata.com) 2.Send the password reset link to your email. 3.Go to your email and open the link. 4.Set a new password. 5.Boom.Automatically logged in.
Fix: OWASP forgot password recommendations(https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet) suggest a better approach, which we have now implemented.
Thanks.
Reference : https://hackerone.com/reports/164648 https://hackerone.com/reports/255020
|
|
44 | Security Vulnerability | Business Logic Flaw | Closed | 28.03.2024 |
Task Description
Subject: Business Logic Flaw
Dear Security Team,
I trust this message finds you well in safeguarding our digital domain. I have successfully conducted a penetration test and am pleased to present the detailed findings in the attached report below.
Vulnerability Details:
Type: Business Logic Flaw Severity: Medium Vulnerable Endpoint: https://admin.alwaysdata.com/admin/account/add/ Description: The vulnerability enables attackers to bypass the restriction limiting the creation of only one Free Public Cloud (100MB). By exploiting this vulnerability, known as a race condition, an attacker can create more than 1 instances of the Free Public Cloud (100MB), potentially leading to resource abuse and unauthorized usage.
Reproduction Steps: Log into the attacker’s account. Remove all previous accounts from the attacker’s main account. Attempt to add 2 Free Public Cloud (100MB), which will fail due to the existing function limitation. To bypass this limitation, delete all Free Public Cloud (100MB) instances and capture the request to add a Free Public Cloud (100MB) using BurpSuite. Duplicate the captured request in multiple tabs and modify the account names in each request. Group all the requests and configure them to be sent in parallel (Single Packet Attack) in BurpSuite. This will result in the addition of more than one Free Public Cloud (100MB). Proof Of Concept:
Image & video-based POC is connected to the email.
Impact:
The impact of this vulnerability is significant as it allows attackers to bypass restrictions and manipulate the system to their advantage. By exploiting this flaw, attackers can create multiple instances of the Free Public Cloud (100MB), despite the intended limitation of only one. This can lead to several adverse consequences
Mitigations: Increased resource usage and financial losses. Risks of data breaches and damage to reputation.
NOTE: THESE ATTACKS HAVE BEEN DONE WHILE KEEPING SERVER’S SECURITY IN MIND, ENSURING THAT THE SERVER DOES NOT INCUR ANY DAMAGE. THIS ATTACK HAS BEEN PERFORMED WITH CAUTION.
Regards, Zeeshan Beg
Google Drive POC Link : https://drive.google.com/file/d/1qz6s7g6l1dYsF1aq3PpAoIyzeodZTUBx/view?usp=sharing
|
|
43 | Information Disclosure PHPpgAdmin | Closed | 03.04.2024 |
Task Description
Vulnerability Detail
PHPpgAdmin setup page is accessible over the internet in which it's possible for the user setup the servers with required details.
Vulnerable Endpoints
https://phppgadmin.alwaysdata.com/phppgadmin/redirect.php?subject=root You can add a server via this endpoint https://phppgadmin.alwaysdata.com/phppgadmin/redirect.php?subject=server&server=&
Impact Its possible for an attacker to configure the servers without information of the application adminstrator.
|
|
42 | Git Configuration Exposure | Closed | 27.03.2024 |
Task Description
Vulnerability Git Configuration Exposure
Severity Level Critical
Vulnerable Domain: https://upload.alwaysdata.com/.git/config
1. Executive Summary: The Git Configuration Exposure vulnerability poses a significant threat to web applications, allowing unauthorized access to sensitive source code repositories. Through the discovery of exposed .git/ directories, attackers can leverage this information to extract the complete source code of a website. This breach can result in the unauthorized disclosure of sensitive information, including proprietary code, configuration files, and other critical assets. This executive summary outlines the discovery, impact, and recommended mitigation strategies for this vulnerability.
2. Overview The vulnerability arises when an attacker identifies the presence of a .git/config directory. This discovery provides a direct route to the Git repository of a web application. By employing specialized tools such as those available in Kali Linux, an attacker can download the entire source code of the website, gaining access to proprietary code, scripts, and configuration files. The consequences of this exposure extend beyond the compromise of intellectual property to potential security risks and the unauthorized retrieval of sensitive information.
3. Vulnerability Discovery The vulnerability is discovered through directory research, where the presence of a .git/config directory is identified. Attempts to access this directory reveal the underlying Git repository, providing a pathway for unauthorized individuals to exploit the exposed version control system.
4. Impact Unauthorized Access to Source Code: Attackers can download the complete source code of the website, enabling the extraction of proprietary code, scripts, and configuration files. Intellectual Property Theft: The compromise of source code poses a significant risk of intellectual property theft, potentially leading to unauthorized use or distribution. Sensitive Information Exposure: The extracted source code may contain sensitive information, such as API keys, database credentials, and other critical data, compromising the overall security of the web application.
5. Mitigation Strategies
Git Configuration Hardening: Implement strict access controls and configure Git repositories to restrict access to authorized personnel only. Directory Listing Prevention: Disable directory listing to prevent the exposure of .git directories during web server configuration. Git Repository Hosting Security: If using third-party Git repository hosting services, ensure proper access controls are in place, and sensitive information is not exposed.
6. Steps To Reproduce:
1- Visit this URL = https://upload.alwaysdata.com/.git/config 2- You can see the Config file. 3- Using the gitdumper tool, in which I was able to dump the whole .git directory. 4- Boom!! I have access to the whole source code of the application. 4- Command –> ./git_dumper.py https://upload.alwaysdata.com/.git/ your/any/directory/of/kali
Important Note: Another thing I'd like to share with you is that I haven't extensively exploited this vulnerability. Otherwise, I could have easily downloaded the entire website's source code, which often contains many and many sensitive information.
Proof of concept As you can see that I am able to access the entire source code. Now, if I put the output command to my command, I can download the whole source code.
[-] Testing https://upload.alwaysdata.com/.git/HEAD [200] [-] Testing https://upload.alwaysdata.com/.git/ [403] [-] Fetching common files [-] Fetching https://upload.alwaysdata.com/.git/hooks/commit-msg.sample [200] [-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-commit.sample [200] [-] Fetching https://upload.alwaysdata.com/.gitignore [200] [-] Fetching https://upload.alwaysdata.com/.git/hooks/applypatch-msg.sample [200] [-] Fetching https://upload.alwaysdata.com/.git/COMMIT_EDITMSG [404] [-] https://upload.alwaysdata.com/.git/COMMIT_EDITMSG responded with status code 404 [-] Fetching https://upload.alwaysdata.com/.git/hooks/post-commit.sample [404] [-] https://upload.alwaysdata.com/.git/hooks/post-commit.sample responded with status code 404 [-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-push.sample [200] [-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-rebase.sample [200] [-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-receive.sample [200] [-] Fetching https://upload.alwaysdata.com/.git/index [200] [-] Fetching https://upload.alwaysdata.com/.git/info/exclude [200] [-] Fetching https://upload.alwaysdata.com/.git/objects/info/packs [404] [-] https://upload.alwaysdata.com/.git/objects/info/packs responded with status code 404 [-] Fetching https://upload.alwaysdata.com/.git/hooks/update.sample [200] [-] Fetching https://upload.alwaysdata.com/.git/hooks/prepare-commit-msg.sample [200] [-] Fetching https://upload.alwaysdata.com/.git/hooks/post-receive.sample [404] [-] https://upload.alwaysdata.com/.git/hooks/post-receive.sample responded with status code 404 [-] Fetching https://upload.alwaysdata.com/.git/hooks/post-update.sample [200] [-] Fetching https://upload.alwaysdata.com/.git/hooks/pre-applypatch.sample [200] [-] Fetching https://upload.alwaysdata.com/.git/description [200] [-] Finding refs/ [-] Fetching https://upload.alwaysdata.com/.git/info/refs [404] [-] https://upload.alwaysdata.com/.git/info/refs responded with status code 404 [-] Fetching https://upload.alwaysdata.com/.git/ORIG_HEAD [404] [-] Fetching https://upload.alwaysdata.com/.git/config [200] [-] https://upload.alwaysdata.com/.git/ORIG_HEAD responded with status code 404 [-] Fetching https://upload.alwaysdata.com/.git/FETCH_HEAD [404] [-] https://upload.alwaysdata.com/.git/FETCH_HEAD responded with status code 404 [-] Fetching https://upload.alwaysdata.com/.git/logs/HEAD [200] [-] Fetching https://upload.alwaysdata.com/.git/packed-refs [200] [-] Fetching https://upload.alwaysdata.com/.git/refs/heads/master [200] [-] Fetching https://upload.alwaysdata.com/.git/refs/remotes/origin/master [404] [-] https://upload.alwaysdata.com/.git/refs/remotes/origin/master responded with status code 404 [-] Fetching https://upload.alwaysdata.com/.git/refs/stash [404] [-] https://upload.alwaysdata.com/.git/refs/stash responded with status code 404 [-] Fetching https://upload.alwaysdata.com/.git/refs/remotes/origin/HEAD [200] Many More File will be Fatched…..!
|
|
41 | Directory Listing of Unauthorized Xapian Files | Closed | 27.03.2024 |
Task Description
Vulnerable URL's: https://files.alwaysdata.com/ https://files.alwaysdata.com/migrations/ https://files.alwaysdata.com/migrations/software-2017/ https://files.alwaysdata.com/migrations/software-2020/
Summary:
The vulnerability was discovered during security testing when the directory listing feature of a web server listed the xapian-7.3.so file among its contents. Given that xapian-7.3.so is a shared object file for Xapian, a highly versatile search engine library, its exposure poses significant security risks. This file contains compiled code that is executed within the server context, making it a critical component of the search functionality offered by the hosting server.
Impact:
The inadvertent exposure of xapian-7.3.so could have several potential impacts:
Information Disclosure: Malicious actors could download and analyze the shared object file to uncover proprietary algorithms or specific implementations of the search engine, leading to a competitive disadvantage or privacy violations. Security Vulnerability Exploitation: If any vulnerabilities exist within the specific version of the file, attackers could develop exploits to compromise the server or manipulate search engine results. Service Disruption: In scenarios where the file is not merely exposed but also manipulable or deletable, attackers could disrupt the search functionality, leading to denial of service.
Mitigation
Immediate steps should be taken to mitigate the vulnerability:
Disable Directory Listing: Configure the web server to disable directory listing globally or specifically within directories not intended for public access. Access Controls: Implement proper access controls to ensure that sensitive files, such as xapian-7.3.so, are not accessible via the web server to unauthorized users. Security Patches: Ensure that all components, especially exposed ones like xapian-7.3.so, are regularly updated to the latest versions to mitigate known vulnerabilities.
|
|
40 | No Rate Limit On Reset Password in admin.alwaysdata.co ... | Closed | 27.03.2024 |
Task Description
No Rate Limit On Reset Password in admin.alwaysdata.com
welcome all : i found that no rate limit in reset password in ::: https://admin.alwaysdata.com/password/lost/ Summary: No rate limit check on forgot password which can lead to mass mailing and spamming of users and possible employees A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. Steps To Reproduce The Issue 1- create account and go to reset password 2- intercept burp and send request to intruder 3- make payload and start attack
Impact 1- Attacker could use this vulnerability to bomb out the email inbox of the victim. 2- Attacker could send Spear-Phishing to the selected mail address. 3-Causing financial losses to the company
|
|
39 | PII Disclosure | Closed | 28.03.2024 |
Task Description
Go to the below link and you can see the billing information of a user which includes his email and other critical information
https://web.archive.org/web/20220713065916/https://admin.alwaysdata.com/billing/337102/pdf/?user_id=150041&token=1657692793-a13e927142b2d5d7f427
|
|
38 | Bug Title: Prototype Pollution Vulnerability Report | Closed | 19.03.2024 |
Task Description
Bug Title: Prototype Pollution Vulnerability Report Weakness: Prototype Pollution Hello Web Security Team,
I am reporting a security vulnerability on the website https://www.alwaysdata.com/en/ The website is affected by prototype pollution due to the usage of an outdated jQuery version.
Description: The website uses jQuery version 1.12.4, which is susceptible to prototype pollution. This vulnerability allows an attacker to inject properties into Object.prototype, affecting all objects across the application. Notably, the "deep" version of jQuery $.extend is impacted.
Steps To Reproduce: 1. To check if the application is vulnerable to prototype pollution attack we can use the below command:
command: $.extend(true, {}, JSON.parse('{"__proto__":{"polluted":"hacked"}}'));
2. Now let's open the application URL: https://www.alwaysdata.com/en/ and enter into the developer options Console tab and paste the command and hit enter. Notice that the result contains an option with polluted: hacked
Image: https://ibb.co/VxyNw4z
Impact: Prototype pollution introduces a severe risk to the application. An attacker, upon exploiting this vulnerability, can manipulate default values for options passed to functions with an "options" argument—a common pattern in JavaScript applications. The impact escalates based on the application's use of such options, potentially leading to unauthorized modifications and alterations in the application's behavior.
Supporting Material/References: https://hackerone.com/reports/380873 https://hackerone.com/reports/454365 The vulnerability has been verified on jQuery version 1.12.4, and it is likely to affect older versions. The issue is present when using Chrome latest version.
Fix: Update latest version of jquery 3.7.1 is the best remediation as it has no known vulnerabilities at the time of this writing
|
|
37 | unverified password change in [admin.alwaysdata.com] | Closed | 27.03.2024 |
Task Description
unverified password change in [admin.alwaysdata.com]
Hello team!
I have found an interesting flaw where an attacker can change the account password without knowing the old password
When the user requests a password reset link, it accesses the activity log inside the account and this bug can be exploited by an attacker
Steps to reproduce the bug :
1-Create a new account on [admin.alwaysdata.com] 2-log in to your account 3-request the password reset link from another browser 4-you will notice that the password reset link you requested has arrived in the activity log
Impact : If the attacker hijacks the session or gains access to the user account, he can request a password reset link and the link will reach him in the Account Activity Log, from which he can reset the account password without knowing the old password
|
|
35 | Git Folder Forbidden Bypass | Closed | 22.02.2024 |
Task Description
Hi, During google search I have found an Open sensitive git directory. Git metadata directory (.git) was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of development changes to a set of source code before it is committed back to a central repository (and vice-versa). When code is rolled to a live server from a repository, it is supposed to be done as an export rather than as a local working copy, and hence this problem. Vulnerable URL:- https://upload.alwaysdata.com/.git/ (403 forbidden) bypass https://upload.alwaysdata.com/.git/config https://upload.alwaysdata.com/.git/logs/HEAD
https://security.alwaysdata.com/.git/ (403 forbidden) bypass https://security.alwaysdata.com/.git/config https://security.alwaysdata.com/.git/logs/HEAD
These files may expose sensitive information that may help a malicious user to prepare more advanced attacks. Remove these files from production systems or restrict access to the .git directory. To deny access to all the .git folders you need to add the following lines in the appropriate context (either global config, or vhost/directory, or from .htaccess) Thanks
|
|
34 | Unvalidated Input vulnerability in Class_Join feature a... | Assigned | |
Task Description
Description
An unvalidated input vulnerability has been identified in the class joining process of the platform. By fuzzing the teacher ID parameter in the class_join URL, an attacker can potentially join any class without proper authorization. This issue poses a significant security risk and may lead to unauthorized access to sensitive information and class benefits.
Impact
The potential impact includes:
a) Unauthorized access to sensitive class information b) Compromised data privacy for both students and instructors.
Proof-of-Concept
To reproduce the vulnerability, follow these steps:
1) First, we log in a test account. Next, we replay this invite URL I got from an actual tutor invite, but now we manipulate the teacher ID value to grant us unvalidated access to certain classes. This is the invite URL:
https://admin.alwaysdata.com/academic/attach/?teacher=<TEACHER_ID>
2) Fuzz different values for the ID parameter to find classes that can be accessed without proper authorization. A bit flipper attack would provide the best results.
3) Upon finding a class with a vulnerable ID, join the class by providing the manipulated URL to the unauthorized user.
Mitigation
1) Implement proper input validation and sanitization for the class ID parameter to ensure that only authorized users can join classes. This can be done by assigning a temporary validation token per class_join request.
2) In the absence of token validation, the teacher_id could be encrypted to a longer, more obfuscated value to reduce predictability.
POC || Bit Flipper Video: https://file.io/qy91eQRASzyo
|
|
33 | Privilege Escalation in admin.alwaysdata.com - Academic ... | Closed | 16.02.2024 |
Task Description
Description
A vulnerability has been discovered in the student management system, which allows a normal user account to bypass access controls. ANY registered low-level user, with no knowledge or involvement in a class, can globally detach any student involved just by manipulating the UID. Even without tutorship/academic privileges and regardless of tutor access control.
Impact
A malicious attacker could fuzz predictable UID values and remove multiple students, abusing the privesc as a nuisance.
Proof-of-Concept
1) First, we logged in to an actual tutor account where I've added a few students. Next, I take note of the IDs of each student involved.
2) Then, I logged out and just to validate this exploit, I would create a NEW account.
3) This is the vulnerable endpoint:
https://admin.alwaysdata.com/academic/release/<USER_ID>
I replaced the <USER_ID> param with the various IDs I recorded from the tutor account.
4) Visit these URLs on the new account and observe the results.
5) Then, log out and re-login to the tutor account. Visit https://admin.alwaysdata.com/academic/ and confirm poc validity.
Mitigation
Implement proper access controls and role-based permissions to restrict normal users from utilizing global admin/tutor privileges. Conduct a thorough review of the authentication and authorization processes to ensure that no other similar vulnerabilities exist.
POC video: https://file.io/DRmuH2Qk7wZk
|
|
32 | Server Path Traversal + Information Disclosure on admin ... | Closed | 15.02.2024 |
Task Description
Description
I identified a vulnerability in the SSH function of admin.alwaysdata.com, where the home directory setting is vulnerable to server path traversal.
Proof-of-Concept
1. Login to your account and visit https://admin.alwaysdata.com/ssh
2. Edit the home directory from '/' to '/../../../../../../'
3. Next, save the settings and login to your SSH shell. Type ls. You'll discover your path has been traversed.
4. Access the /alwaysdata/etc/passwd folder to view the admin superusers. More information of other users are also available throughout the server.
For example;
/var/lib/extrausers/passwd shows all the other registered users on the server.
/usr/lib/python3/dist-packages/fail2ban/tests/files/logs/postfix display failban logs.
Other interesting files;
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd
/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd
Mitigation
Restrict access to any parent directory, other than the container being run.
|
|
31 | Broken Access Vulnerability via 'Impossible deletion' E ... | Closed | 16.02.2024 |
Task Description
Description
A vulnerability exists on the https://admin.alwaysdata.com/ permissions_delete endpoint which is intended for deleting sub-accounts' generated data or permissions. However due to unsecure design, it can also be used to remove critical permissions or access controls of the owner account, rendering the account useless.
Proof-of-Concept
1. Visit this URL: https://admin.alwaysdata.com/permissions/<owner-id>/delete/ (Replace owner-id with the the id of main account, that is, the one with 'impossible deletion')
2. This renders the account useless. But permissions can still be reinstated using the following request
POST /permissions/<account-id>/ HTTP/2
Host: admin.alwaysdata.com
Cookie: csrftoken=nHI6Qy3zJu9uxxxqNvXRuZlTuvgLJwbBI5jg4XRa; django_language=en; sessionid=tdcg6j9im2g31ga9tk7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://admin.alwaysdata.com/permissions/
Content-Type: application/x-www-form-urlencoded
Content-Length: 314
Origin: https://admin.alwaysdata.com
csrfmiddlewaretoken=U0CcqjIPBxxxxxxxxxxxx2zGI69d7GFBI5AKORMPsTJlk1SfgDJZ5t&csrfmiddlewaretoken=U0CcqjIPBxxxxxxxxxxxxxxxx7GFBI5AKORMPsTJlk1SfgDJZ5t&email=<EMAIL>&customer_account=on&customer_contact_billing=on&customer_full_accounts=on&customer_full_servers=on&account=<USERID>
Mitigation
Ensure that only authorized admin can access and modify owner permissions through the delete endpoint. This can be achieved by implementing authentication and authorization mechanisms.
|
|
30 | Information Disclosure on cAdvisor software via Origin ... | Closed | 16.02.2024 |
Task Description
Description
I discovered that cAdvisor, a container monitoring and management tool, is exposed to the public internet. Using OSINT techniques, this endpoint was discovered on one of the company servers. This information disclosure could potentially be used by attackers for various malicious purposes, such as mapping vulnerable targets or launching further attacks.
Proof-of-Concept
To demonstrate this issue, we can access the cAdvisor web interface via the URLs; http://185.31.41.177:8000/containers/ http://185.31.41.177:8000/metrics/ http://185.31.41.177:8000/api/v1.0/machine http://185.31.41.177:8000/containers/user.slice http://185.31.41.177:8000/containers/system.slice
Browse through the URIs for more information on processes running, users involved, resource usage, container names e.t.c.
Mitigation
Restrict access to cAdvisor. Limit access to the cAdvisor interface to trusted users or networks only.
|
|
29 | URL Override in api.alwaysdata.com | Closed | 16.02.2024 |
Task Description
Description
I discovered a potential vulnerability in api.alwaysdata.com that could allow an attacker to override URLs by manipulating the X-Forwarded-Host header. This issue could potentially lead to unintended redirections or access to restricted resources.
Proof-of-Concept
To demonstrate this vulnerability, we can use a simple HTTP request with a modified X-Forwarded-Host header. Replay the following request;
GET /v1/ssh/doc/ HTTP/1.1
Host: api.alwaysdata.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Connection: close
Cache-Control: max-age=0
X-Forwarded-Host: evil.com
Cookie: flyspray=ef2b9025azb8fd028bf6
Referer: https://api.alwaysdata.com/doc
Mitigation
Blocking or filtering out the X-Forwarded-Host header entirely and relying on other methods to determine the original domain (e.g., using the Host header or server logs).
|
|
28 | Summary: A username disclosure vulnerability has been i ... | Closed | 13.02.2024 |
Task Description
Details: Upon accessing the URL endpoint https://blog.alwaysdata.com/wp-json/wp/v2/users/, the website returns a JSON response containing information about registered users, including usernames. This exposes user account details to anyone who accesses the endpoint, without requiring authentication.
Impact: The username disclosure vulnerability poses a significant risk to the security and privacy of users on the https://blog.alwaysdata.com website. Attackers can use the exposed usernames to attempt unauthorized access to user accounts, conduct targeted phishing attacks, or perform further reconnaissance to exploit additional vulnerabilities.
Recommendations:
Immediate Mitigation: Disable public access to the /wp-json/wp/v2/users/ endpoint to prevent unauthorized users from obtaining a list of user accounts.
Patch Deployment: Implement a security patch or update provided by the website’s developers to address the username disclosure vulnerability.
User Notification: Inform registered users of the vulnerability and advise them to change their passwords as a precautionary measure.
Security Audit: Conduct a comprehensive security audit of the website to identify and remediate any additional vulnerabilities that may exist.
Additional Information: This report aims to assist in promptly addressing the username disclosure vulnerability on the https://blog.alwaysdata.com website to safeguard user data and mitigate potential security risks. Urgent action is recommended to prevent exploitation and protect the website’s users from unauthorized access to their accounts.
Please feel free to reach out if further assistance or clarification is needed.
Sincerely, Nilesh nilesh56466@gmail.com
|
|
27 | Text Injection | Closed | 06.02.2024 |
Task Description
Description:
Content spoofing, also referred to as content injection, “arbitrary text injection” or virtual defacement, is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user-supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain. This attack is typically used as, or in conjunction with, social engineering because the attack is exploiting a code-based vulnerability and a user’s trust.
Impact:
An attacker can use text injection vulnerability to present a customized message on the application that can phish users into believing that the message is legitimate. The intent is typical to tick victims, although sometimes the actual purpose may be to simply misrepresent the organization or an individual.
Steps to Reproduce:
1: Navigate to given URL: https://admin.alwaysdata.com/ 2: At the end of the URL enter /hacker 3: Now on the page you will see hacker is reflecting on page.
Poc: https://https://drive.google.com/file/d/1gG_U7sszvkvv3Rz8CxK89EW2wp7xtxC8/view?usp=sharing
|
|
26 | #1 Crititical Vulnerability Name: No Rate Limit in addi ... | Closed | 06.02.2024 |
Task Description
Vulnerability Name: No Rate Limit in adding Sites
Impact: - This may consume a large amount of bandwidth and, sometimes, require large amounts of storage space.
How to reproduce this issue:
1. Use Burp Suite and capture the Sites request.
2. Send the captured request to Intruder and select name position as shown in POC.
3. Set payloads to numbers and numbers will be from 1 to 40 (depending on your usage).
4. Observe that the status code is 302 means we can add an unlimited Sites.
Recommendation: 1. There should be some rate limit for Add Sites (Example: should not exceed more than 10 Sites)
2. Implement Captcha, the captcha should not be based on IP.
POC: - Video file in below link. - Link: https://www.mediafire.com/file/q9ir608diysdnhj/Always+Data+Poc-1.mp4/file https://mediafire.com/file/q9ir608diysdnhj/Always+Data+Poc-1.mp4/file
|
|
25 | Title: Security Report: Public Exposure of Sensitive In ... | Closed | 04.02.2024 | |
|
24 | Security Report:Broken Access Control (BAC) in [admin.a ... | Closed | 01.02.2024 | |
|
23 | Subject: Vulnerability Report: Transmission of Credenti ... | Closed | 02.02.2024 | |
|
22 | Vulnerability Report: Unverified Email Registration on ... | Closed | 31.01.2024 | |
|
21 | Bug Bounty Report | Closed | 04.02.2024 | |
|
20 | Unauthorized Access to Over 6000+ Valid User Credential ... | Closed | 30.01.2024 | |
|
19 | User Enumeration Through Forgot Password Vulnerability | Closed | 29.01.2024 | |
|
18 | .git file exposed | Closed | 18.01.2024 | |
|
17 | Lack of password confirmation on account deletion | Closed | 19.01.2024 | |
|
16 | Unauthenticated-Video conferencing on "https://jitsi.al ... | Closed | 18.01.2024 | |
|
15 | Bug Bounty|User credential Leaked on Github-dork | Closed | 18.01.2024 | |
|
14 | Potential SSRF Vulnerability via Self-XSS | Closed | 18.01.2024 | |
|
13 | Lack of Verification Email | Closed | 16.01.2024 | |
|
12 | No rate limit on Submit tickets | Closed | 15.01.2024 | |
|
2 | XSS Vulnerability in [admin.alwaysdata.com] Support Tic ... | Closed | 12.01.2024 | |