Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by freetb - 15.02.2024
Last edited by cbay - 15.02.2024

FS#32 - Server Path Traversal + Information Disclosure on admin.alwaysdata.com

Description

I identified a vulnerability in the SSH function of admin.alwaysdata.com, where the home directory setting is vulnerable to server path traversal.

Proof-of-Concept

1. Login to your account and visit https://admin.alwaysdata.com/ssh

2. Edit the home directory from '/' to '/../../../../../../'

3. Next, save the settings and login to your SSH shell. Type ls. You'll discover your path has been traversed.

4. Access the /alwaysdata/etc/passwd folder to view the admin superusers. More information of other users are also available throughout the server.

For example;

/var/lib/extrausers/passwd shows all the other registered users on the server.

/usr/lib/python3/dist-packages/fail2ban/tests/files/logs/postfix display failban logs.

Other interesting files;

/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd

/usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd

Mitigation

Restrict access to any parent directory, other than the container being run.

Closed by  cbay
15.02.2024 11:00
Reason for closing:  Invalid
Admin
cbay commented on 15.02.2024 08:44

Hello,

You don't need to modify your home directory at all to access those files. They are public, readable and don't pose a security threat.

In particular, getting the list of local users (other clients or admins) is not a vulnerability. There's even a well known Unix command, getent, to easily get the full list of accounts.

Kind regards,
Cyril

freetb commented on 15.02.2024 10:53

Wow. Ok I understand. I doff my hat to the security of this platform. Even the local exploits proved futile

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing