FS#149 : Failure to invalidate sever after password change in Webdav

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by waloodi_109 - 04.04.2025
Last edited by cbay - 04.04.2025

FS#149 - Failure to invalidate sever after password change in Webdav

Failure to invalidate sever after password change in Webdav

Hello Team,

I hope you are doing well. While Researching in your domain I found Failure to invalidate server after password change vulnerability in your domain.

Steps to Reproduce:

1.Go to https://admin.alwaysdata.com/webdav/ and set a password for user and then submit.
2.Then, go to your PC to Connect Webdav Server with your Windows/Linux.
3.Again go tohttps://admin.alwaysdata.com/webdav/ and then change the password and submit it.
4.You can see that server is still validated and files are accessible in your webdav server which is connected with your PC.

Impact
If attacker have gain access in someone Pc, he/she access these files without any error. As server is not destroyed, attacker will be still access these files, cause his server is still active.. Server should be destroyed can take effect immediately when password is changed.

Thank You,

Waleed Anwar

Closed by cbay
04.04.2025 14:34
Reason for closing: Invalid

04.04.2025: A request to reopen the task has been made. Reason for request: Attacker Can Create or Delete Files in that 5 Minutes, Server Should be directly destroyed, if the Password is Changed.