alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~196~~	Closed	~~Insecure Account Deletion Vulnerability on https://admi~~ ...	hacktivist	Task Description Description: An insecure account deletion vulnerability has been identified on the AlwaysData admin platform. The application allows account deletion without requiring re-authentication or password confirmation, which can lead to unauthorized account deletion on shared or public devices. Exploit Scenario: A legitimate user logs into their AlwaysData admin account on a shared device (e.g., library, internet café, or office). The user accidentally leaves the session open without logging out. An attacker accesses the session and navigates to the following URL: https://admin.alwaysdata.com/admin/details/ The attacker clicks "Delete this profile". The system allows the deletion of the user account without requiring password re-entry or secondary confirmation, leading to account loss. Steps to Reproduce: Log in to your admin account at: https://admin.alwaysdata.com/ Navigate to: https://admin.alwaysdata.com/admin/details/ Click on the "Delete this profile" button. Observe that no password or identity confirmation is required to proceed with account deletion. Security Impact: This lack of re-authentication introduces a critical security risk, especially on shared or publicly accessible machines. It allows any unauthorized person with temporary access to the session to delete the account permanently. Recommended Mitigation: Implement a re-authentication mechanism before executing sensitive actions like account deletion. This should include: Prompting the user to re-enter their password. Validating a session token or sending a secondary confirmation email/code. This ensures that only an authenticated and intended user can perform account deletion.
	~~195~~	Closed	~~Stored Cross-Site Scripting (XSS) via File Upload in Su~~ ...	hacktivist	Task Description Description: A stored XSS vulnerability exists in the support ticket submission functionality of the AlwaysData admin panel. An attacker can upload a specially crafted file (xss.poc) as an attachment while submitting a new ticket. When the ticket is submitted and the attached file is later opened by a staff member or user, malicious JavaScript embedded in the file is executed in their browser context. This vulnerability allows attackers to perform actions such as stealing session cookies, executing arbitrary actions as the victim, or performing phishing attacks from within the trusted domain. Steps to Reproduce: Navigate to: https://admin.alwaysdata.com/support/add/ Fill out the New Ticket form: Title: Test XSS Ticket Message: Please see the attached file. Attach the malicious file xss.poc: Submit the ticket. After submission, navigate to the Support section and view the created ticket. Click on the uploaded xss.poc attachment. Result: A JavaScript alert box with the message XSS is triggered, confirming that the script executed in the browser. Impact: Arbitrary JavaScript execution in a user or admin context. Session hijacking Credential theft Phishing within trusted domain Full compromise of account integrity if an admin account is exploited Recommendations: Sanitize and validate all uploaded files both client-side and server-side. Do not render or parse user-uploaded files as HTML or SVG content directly in the browser. Use proper Content-Disposition headers to force downloads: Affected Users: All users or administrators who open ticket attachments through the admin panel.

~~196~~

Closed

~~Insecure Account Deletion Vulnerability on https://admi~~ ...

Task Description

Description:
An insecure account deletion vulnerability has been identified on the AlwaysData admin platform. The application allows account deletion without requiring re-authentication or password confirmation, which can lead to unauthorized account deletion on shared or public devices.

Exploit Scenario:

A legitimate user logs into their AlwaysData admin account on a shared device (e.g., library, internet café, or office).

The user accidentally leaves the session open without logging out.

An attacker accesses the session and navigates to the following URL:
https://admin.alwaysdata.com/admin/details/

The attacker clicks "Delete this profile".

The system allows the deletion of the user account without requiring password re-entry or secondary confirmation, leading to account loss.

Steps to Reproduce:

Navigate to: https://admin.alwaysdata.com/admin/details/

Click on the "Delete this profile" button.

Observe that no password or identity confirmation is required to proceed with account deletion.

Security Impact:
This lack of re-authentication introduces a critical security risk, especially on shared or publicly accessible machines. It allows any unauthorized person with temporary access to the session to delete the account permanently.

Recommended Mitigation:
Implement a re-authentication mechanism before executing sensitive actions like account deletion. This should include:

Prompting the user to re-enter their password.

Validating a session token or sending a secondary confirmation email/code.

This ensures that only an authenticated and intended user can perform account deletion.

~~195~~

Closed

~~Stored Cross-Site Scripting (XSS) via File Upload in Su~~ ...

hacktivist

Task Description

Description:
A stored XSS vulnerability exists in the support ticket submission functionality of the AlwaysData admin panel. An attacker can upload a specially crafted file (xss.poc) as an attachment while submitting a new ticket. When the ticket is submitted and the attached file is later opened by a staff member or user, malicious JavaScript embedded in the file is executed in their browser context.

This vulnerability allows attackers to perform actions such as stealing session cookies, executing arbitrary actions as the victim, or performing phishing attacks from within the trusted domain.

Steps to Reproduce:
Navigate to:
https://admin.alwaysdata.com/support/add/

Fill out the New Ticket form:

Title: Test XSS Ticket

Message: Please see the attached file.

Attach the malicious file xss.poc:

Submit the ticket.

After submission, navigate to the Support section and view the created ticket.

Click on the uploaded xss.poc attachment.

Result: A JavaScript alert box with the message XSS is triggered, confirming that the script executed in the browser.

Impact:
Arbitrary JavaScript execution in a user or admin context.

Session hijacking

Credential theft

Phishing within trusted domain

Full compromise of account integrity if an admin account is exploited

Recommendations:
Sanitize and validate all uploaded files both client-side and server-side.

Do not render or parse user-uploaded files as HTML or SVG content directly in the browser.

Use proper Content-Disposition headers to force downloads:

Affected Users:
All users or administrators who open ticket attachments through the admin panel.

Showing tasks 1 - 2 of 2 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing