All Projects

Advanced

Miscellaneous Search in comments Search details Search for all words Tasks I watch Tasks not blocking other tasks Tasks blocking other tasks Blocker or nonblocker, selecting both filter options doesn't make sense. Has attachment Hide SubTasks

Task Properties

Task Type

Severity

Priority

Due In Version

Reported Version

Category

Status

Percent Complete

Users Opened by Assigned To Closed by

Dates

Due from to

Changed from to

Opened from to

Closed from to

	ID	Status	Summary	Opened by
	~~118~~	Closed	~~Hidden Matomo Tracking Opt-Out Endpoint~~	freetb	Task Description The endpoint is not publicly visible through the application interface but was discovered using search engine dorking techniques. https://tracker.alwaysdata.com/index.php?module=CoreAdminHome&action=optOut&language=en Low severity as it doesn't reveal sensitive server info
	33	Closed	~~Privilege Escalation in admin.alwaysdata.com - Academic~~ ...	freetb	Task Description Description A vulnerability has been discovered in the student management system, which allows a normal user account to bypass access controls. ANY registered low-level user, with no knowledge or involvement in a class, can globally detach any student involved just by manipulating the UID. Even without tutorship/academic privileges and regardless of tutor access control. Impact A malicious attacker could fuzz predictable UID values and remove multiple students, abusing the privesc as a nuisance. Proof-of-Concept 1) First, we logged in to an actual tutor account where I've added a few students. Next, I take note of the IDs of each student involved. 2) Then, I logged out and just to validate this exploit, I would create a NEW account. 3) This is the vulnerable endpoint: https://admin.alwaysdata.com/academic/release/<USER_ID> I replaced the <USER_ID> param with the various IDs I recorded from the tutor account. 4) Visit these URLs on the new account and observe the results. 5) Then, log out and re-login to the tutor account. Visit https://admin.alwaysdata.com/academic/ and confirm poc validity. Mitigation Implement proper access controls and role-based permissions to restrict normal users from utilizing global admin/tutor privileges. Conduct a thorough review of the authentication and authorization processes to ensure that no other similar vulnerabilities exist. POC video: https://file.io/DRmuH2Qk7wZk
	32	Closed	~~Server Path Traversal + Information Disclosure on admin~~ ...	freetb	Task Description Description I identified a vulnerability in the SSH function of admin.alwaysdata.com, where the home directory setting is vulnerable to server path traversal. Proof-of-Concept 1. Login to your account and visit https://admin.alwaysdata.com/ssh 2. Edit the home directory from '/' to '/../../../../../../' 3. Next, save the settings and login to your SSH shell. Type ls. You'll discover your path has been traversed. 4. Access the /alwaysdata/etc/passwd folder to view the admin superusers. More information of other users are also available throughout the server. For example; /var/lib/extrausers/passwd shows all the other registered users on the server. /usr/lib/python3/dist-packages/fail2ban/tests/files/logs/postfix display failban logs. Other interesting files; /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/basic/authz_owner/.htpasswd /usr/lib/python3/dist-packages/fail2ban/tests/files/config/apache-auth/digest_wrongrelm/.htpasswd Mitigation Restrict access to any parent directory, other than the container being run.
	31	Closed	~~Broken Access Vulnerability via 'Impossible deletion' E~~ ...	freetb	Task Description Description A vulnerability exists on the https://admin.alwaysdata.com/ permissions_delete endpoint which is intended for deleting sub-accounts' generated data or permissions. However due to unsecure design, it can also be used to remove critical permissions or access controls of the owner account, rendering the account useless. Proof-of-Concept 1. Visit this URL: https://admin.alwaysdata.com/permissions/<owner-id>/delete/ (Replace owner-id with the the id of main account, that is, the one with 'impossible deletion') 2. This renders the account useless. But permissions can still be reinstated using the following request POST /permissions/<account-id>/ HTTP/2 Host: admin.alwaysdata.com Cookie: csrftoken=nHI6Qy3zJu9uxxxqNvXRuZlTuvgLJwbBI5jg4XRa; django_language=en; sessionid=tdcg6j9im2g31ga9tk7 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://admin.alwaysdata.com/permissions/ Content-Type: application/x-www-form-urlencoded Content-Length: 314 Origin: https://admin.alwaysdata.com csrfmiddlewaretoken=U0CcqjIPBxxxxxxxxxxxx2zGI69d7GFBI5AKORMPsTJlk1SfgDJZ5t&csrfmiddlewaretoken=U0CcqjIPBxxxxxxxxxxxxxxxx7GFBI5AKORMPsTJlk1SfgDJZ5t&email=<EMAIL>&customer_account=on&customer_contact_billing=on&customer_full_accounts=on&customer_full_servers=on&account=<USERID> Mitigation Ensure that only authorized admin can access and modify owner permissions through the delete endpoint. This can be achieved by implementing authentication and authorization mechanisms.
	30	Closed	~~Information Disclosure on cAdvisor software via Origin~~ ...	freetb	Task Description Description I discovered that cAdvisor, a container monitoring and management tool, is exposed to the public internet. Using OSINT techniques, this endpoint was discovered on one of the company servers. This information disclosure could potentially be used by attackers for various malicious purposes, such as mapping vulnerable targets or launching further attacks. Proof-of-Concept To demonstrate this issue, we can access the cAdvisor web interface via the URLs; http://185.31.41.177:8000/containers/ http://185.31.41.177:8000/metrics/ http://185.31.41.177:8000/api/v1.0/machine http://185.31.41.177:8000/containers/user.slice http://185.31.41.177:8000/containers/system.slice Browse through the URIs for more information on processes running, users involved, resource usage, container names e.t.c. Mitigation Restrict access to cAdvisor. Limit access to the cAdvisor interface to trusted users or networks only.
	29	Closed	~~URL Override in api.alwaysdata.com~~	freetb	Task Description Description I discovered a potential vulnerability in api.alwaysdata.com that could allow an attacker to override URLs by manipulating the X-Forwarded-Host header. This issue could potentially lead to unintended redirections or access to restricted resources. Proof-of-Concept To demonstrate this vulnerability, we can use a simple HTTP request with a modified X-Forwarded-Host header. Replay the following request; GET /v1/ssh/doc/ HTTP/1.1 Host: api.alwaysdata.com Accept-Encoding: gzip, deflate, br Accept: / Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Connection: close Cache-Control: max-age=0 X-Forwarded-Host: evil.com Cookie: flyspray=ef2b9025azb8fd028bf6 Referer: https://api.alwaysdata.com/doc Mitigation Blocking or filtering out the X-Forwarded-Host header entirely and relying on other methods to determine the original domain (e.g., using the Host header or server logs).

Showing tasks 1 - 6 of 6 Page 1 of 1

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task