FS#183 : phpPgAdmin Leaks All Usernames Via `roles.php` Endpoint (and a few other concerns...)

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by 0xbencantcode - 14.06.2025
Last edited by cbay - 16.06.2025

FS#183 - phpPgAdmin Leaks All Usernames Via `roles.php` Endpoint (and a few other concerns...)

The username of every single user on Alwaysdata is leaked via the roles.php endpoint. With this information, an attacker can use it to infer the URLs of services their potential victims use, ex. ssh-USERNAME_HERE.alwaysdata.net.

phpPgAdmin is also dumpster fire, it's in the best interest of your company to move away from the service to protect your users. phpPgAdmin is prone to cross-site scripting exploits and potential remote code execution due to the unserialization of user-supplied input (CVE-2023-40619). It's of no use reporting these vulnerabilities to the developers since phpPgAdmin is no longer maintained. Hell, even the CVE I mentioned hasn't been addressed. I urge you to switch to another service or a fork with security updates ASAP.

https://files.catbox.moe/pctk9v.png

Closed by cbay
16.06.2025 07:30
Reason for closing: Invalid

Comments (1)
Related Tasks (0/0)

cbay commented on 16.06.2025 07:30

Hello,

There are many ways to list alwaysdata accounts, we even explicitely say so in our documentation.

Kind regards,
Cyril

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task