alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	312	Assigned	25 JavaScript Source Maps Publicly Accessible - 410K+ C...	Raijuna	Task Description ## Summary 25 JavaScript source map files (.js.map) are publicly accessible on static.alwaysdata.com without authentication. These contain the original, unminified source code totaling 410,699+ characters across the admin panel modules, including: - Internal API endpoint patterns and CSRF handling logic - Feature flag names and conditional logic - Reseller module business logic - Template file paths and component structure - Permission system implementation details - Support ticket system leaking data to languagetool.org ## Severity: Medium (CVSS 5.3) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-540: Inclusion of Sensitive Information in Source Code ## Steps to Reproduce ### 1. Download the admin panel core source map (605 KB) curl -s -o core.js.map 'https://static.alwaysdata.com/aldjango/administration/core-Iu2w3-Ub.js.map' wc -c core.js.map # 605039 bytes ### 2. Verify it contains original source code cat core.js.map \| python3 -c "import json,sys; d=json.load(sys.stdin); print('Sources:', len(d.get('sources',[])), 'Files'); print('Content length:', sum(len(s) for s in d.get('sourcesContent',[])) if s))" ### 3. Accessible source maps (sample) https://static.alwaysdata.com/aldjango/administration/main-D6bqDpvz.js.map https://static.alwaysdata.com/aldjango/administration/core-Iu2w3-Ub.js.map https://static.alwaysdata.com/aldjango/administration/ui-permissions-DpuZ1RMH.js.map https://static.alwaysdata.com/aldjango/administration/ui-ticket-BVXE_RGY.js.map https://static.alwaysdata.com/aldjango/administration/reseller-DPWgpuvi.js.map https://static.alwaysdata.com/aldjango/administration/ui-account-list-CaFjNbCY.js.map https://static.alwaysdata.com/aldjango/administration/sepa-e5qTgeYD.js.map https://static.alwaysdata.com/aldjango/administration/forms-ChhNVii8.js.map https://static.alwaysdata.com/aldjango/administration/ui-reseller-0hFmHN89.js.map https://static.alwaysdata.com/aldjango/administration/ui-server-BejAFuIr.js.map https://static.alwaysdata.com/aldjango/administration/website/main-CbRxCCzg.js.map ## Attack Scenario 1. Attacker downloads all 25 source maps 2. Reconstructs the complete admin panel client-side application 3. Identifies API endpoint patterns, authentication flows, CSRF handling 4. Maps feature flags and conditional code paths 5. Discovers support ticket system sends text to languagetool.org/api/v2/check (third-party data leak) 6. Uses internal knowledge to craft targeted attacks against admin panel ## Impact - Full source code exposure: 410K+ characters of unminified admin panel code - Reconnaissance advantage: API patterns, auth logic, permission checks exposed - Third-party data leak: Ticket system sends content to external API - Internal architecture knowledge: File paths, component structure revealed ## Remediation 1. IMMEDIATE: Remove source map files from production static asset server 2. Disable source map generation in Vite production build: build.sourcemap = false 3. If needed for error tracking, use Sentry source map upload API (server-side only)
	310	Assigned	Flyspray Security Tracker Full Exposure - 265 Reports, ...	Raijuna	Task Description ## Summary The Flyspray security bug tracker at security.alwaysdata.com publicly exposes 265 vulnerability reports without authentication. The exposed data includes: 1. Full PoC details for reported vulnerabilities (SSRF, OAuth ATO, XSS, etc.) 2. Plaintext credentials (phpMyAdmin: projets_baltic / LouisCelestin004@# in ~~FS#100~~ ) 3. 132+ downloadable PoC attachments via sequential ID enumeration 4. Admin-researcher conversations revealing internal infrastructure details 5. Researcher identities (usernames for all 265 reports) 6. .git repository metadata exposing admin email (cbay@alwaysdata.com), 941 source file paths 7. Real-time vulnerability pipeline monitoring via RSS feed ## Severity: Critical (CVSS 9.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CWE-200: Exposure of Sensitive Information ## Steps to Reproduce ### 1. Access the task list (no authentication required) curl -s 'https://security.alwaysdata.com/?do=tasklist&status[]=open&status[]=closed' Returns all 265 vulnerability reports with titles, assignees, status, and reporter names. ### 2. Read a vulnerability report with plaintext credentials curl -s 'https://security.alwaysdata.com/task/100' ~~FS#100~~ contains phpMyAdmin credentials: Username projets_baltic, Password LouisCelestin004@#. ### 3. Read a full SSRF PoC with internal IP curl -s 'https://security.alwaysdata.com/task/307' FS#307 contains: complete SSRF exploit chain targeting Roundcube webmail, internal IP 185.31.40.185, GuzzleHttp user-agent, 0-click exploitation via _safe=1 parameter. ### 4. Subscribe to real-time vulnerability feed curl -s 'https://security.alwaysdata.com/feed.php?feed_type=rss2&project=1' RSS feed delivers new vulnerability reports as they are submitted — before patches are deployed. ### 5. Download PoC attachments by ID enumeration curl -s -o poc_screenshot.png 'https://security.alwaysdata.com/?getfile=130' IDs 1 through 132 are accessible. ### 6. Access .git repository metadata curl -s 'https://security.alwaysdata.com/.git/config' curl -s 'https://security.alwaysdata.com/.git/logs/HEAD' Reveals: remote origin, admin identity (Cyril Bay, cbay@alwaysdata.com), 941 source file paths. ## Attack Scenario 1. Attacker discovers security.alwaysdata.com via subdomain enumeration 2. Browses task list to find OPEN/ASSIGNED bugs (currently 12 assigned = unpatched) 3. Reads FS#307 to get a complete SSRF exploit chain with internal IP 4. Downloads all 132 PoC attachments 5. Extracts phpMyAdmin credentials from ~~FS#100~~ 6. Subscribes to RSS feed to monitor new reports in real-time 7. Weaponizes unpatched vulnerabilities during the window between report and fix ## Impact - Credential exposure: Plaintext database credentials accessible to anyone - Vulnerability weaponization: Full PoCs for unpatched vulnerabilities - Intelligence gathering: Internal IPs, server architecture, admin identities - Persistent monitoring: RSS feed provides real-time vulnerability intelligence ## Additional Findings - Weak CSP: script-src 'self' 'unsafe-inline' 'unsafe-eval' - Outdated JS: Prototype.js 1.7 and script.aculo.us 1.9.0 (2010) - PHP path disclosure in registration errors - Session cookie missing Secure and SameSite flags - Flyspray 112 commits behind upstream ## Remediation 1. IMMEDIATE: Restrict access to security.alwaysdata.com — require authentication 2. IMMEDIATE: Block .git directory access at web server level 3. IMMEDIATE: Rotate exposed credentials (audit all 265 tasks) 4. SHORT-TERM: Disable public self-registration 5. SHORT-TERM: Update Flyspray (112 commits behind upstream) 6. MEDIUM-TERM: Implement proper CSP, add Secure/SameSite cookie flags

Assigned

25 JavaScript Source Maps Publicly Accessible - 410K+ C...

Task Description

## Summary

25 JavaScript source map files (.js.map) are publicly accessible on static.alwaysdata.com without authentication. These contain the original, unminified source code totaling 410,699+ characters across the admin panel modules, including:

- Internal API endpoint patterns and CSRF handling logic
- Feature flag names and conditional logic
- Reseller module business logic
- Template file paths and component structure
- Permission system implementation details
- Support ticket system leaking data to languagetool.org

## Severity: Medium (CVSS 5.3)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-540: Inclusion of Sensitive Information in Source Code

## Steps to Reproduce

### 1. Download the admin panel core source map (605 KB)
curl -s -o core.js.map 'https://static.alwaysdata.com/aldjango/administration/core-Iu2w3-Ub.js.map'
wc -c core.js.map
# 605039 bytes

### 2. Verify it contains original source code
cat core.js.map | python3 -c "import json,sys; d=json.load(sys.stdin); print('Sources:', len(d.get('sources',[])), 'Files'); print('Content length:', sum(len(s) for s in d.get('sourcesContent',[])) if s))"

## Attack Scenario

1. Attacker downloads all 25 source maps
2. Reconstructs the complete admin panel client-side application
3. Identifies API endpoint patterns, authentication flows, CSRF handling
4. Maps feature flags and conditional code paths
5. Discovers support ticket system sends text to languagetool.org/api/v2/check (third-party data leak)
6. Uses internal knowledge to craft targeted attacks against admin panel

## Impact

- Full source code exposure: 410K+ characters of unminified admin panel code
- Reconnaissance advantage: API patterns, auth logic, permission checks exposed
- Third-party data leak: Ticket system sends content to external API - Internal architecture knowledge: File paths, component structure revealed

## Remediation

1. IMMEDIATE: Remove source map files from production static asset server
2. Disable source map generation in Vite production build: build.sourcemap = false
3. If needed for error tracking, use Sentry source map upload API (server-side only)

310

Assigned

Flyspray Security Tracker Full Exposure - 265 Reports, ...

Raijuna

Task Description

## Summary

The Flyspray security bug tracker at security.alwaysdata.com publicly exposes 265 vulnerability reports without authentication. The exposed data includes:

1. Full PoC details for reported vulnerabilities (SSRF, OAuth ATO, XSS, etc.)
2. Plaintext credentials (phpMyAdmin: projets_baltic / LouisCelestin004@# in ~~FS#100~~ )
3. 132+ downloadable PoC attachments via sequential ID enumeration
4. Admin-researcher conversations revealing internal infrastructure details
5. Researcher identities (usernames for all 265 reports)
6. .git repository metadata exposing admin email (cbay@alwaysdata.com), 941 source file paths
7. Real-time vulnerability pipeline monitoring via RSS feed

## Severity: Critical (CVSS 9.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-200: Exposure of Sensitive Information

## Steps to Reproduce

### 1. Access the task list (no authentication required)
curl -s 'https://security.alwaysdata.com/?do=tasklist&status[]=open&status[]=closed'
Returns all 265 vulnerability reports with titles, assignees, status, and reporter names.

### 2. Read a vulnerability report with plaintext credentials
curl -s 'https://security.alwaysdata.com/task/100'
~~FS#100~~ contains phpMyAdmin credentials: Username projets_baltic, Password LouisCelestin004@#.

### 3. Read a full SSRF PoC with internal IP
curl -s 'https://security.alwaysdata.com/task/307'
FS#307 contains: complete SSRF exploit chain targeting Roundcube webmail, internal IP 185.31.40.185, GuzzleHttp user-agent, 0-click exploitation via _safe=1 parameter.

### 4. Subscribe to real-time vulnerability feed
curl -s 'https://security.alwaysdata.com/feed.php?feed_type=rss2&project=1'
RSS feed delivers new vulnerability reports as they are submitted — before patches are deployed.

### 5. Download PoC attachments by ID enumeration
curl -s -o poc_screenshot.png 'https://security.alwaysdata.com/?getfile=130'
IDs 1 through 132 are accessible.

### 6. Access .git repository metadata
curl -s 'https://security.alwaysdata.com/.git/config'
curl -s 'https://security.alwaysdata.com/.git/logs/HEAD'
Reveals: remote origin, admin identity (Cyril Bay, cbay@alwaysdata.com), 941 source file paths.

## Attack Scenario

1. Attacker discovers security.alwaysdata.com via subdomain enumeration
2. Browses task list to find OPEN/ASSIGNED bugs (currently 12 assigned = unpatched)
3. Reads FS#307 to get a complete SSRF exploit chain with internal IP
4. Downloads all 132 PoC attachments
5. Extracts phpMyAdmin credentials from ~~FS#100~~ 6. Subscribes to RSS feed to monitor new reports in real-time
7. Weaponizes unpatched vulnerabilities during the window between report and fix

## Impact

- Credential exposure: Plaintext database credentials accessible to anyone
- Vulnerability weaponization: Full PoCs for unpatched vulnerabilities
- Intelligence gathering: Internal IPs, server architecture, admin identities
- Persistent monitoring: RSS feed provides real-time vulnerability intelligence

## Additional Findings
- Weak CSP: script-src 'self' 'unsafe-inline' 'unsafe-eval'
- Outdated JS: Prototype.js 1.7 and script.aculo.us 1.9.0 (2010)
- PHP path disclosure in registration errors
- Session cookie missing Secure and SameSite flags
- Flyspray 112 commits behind upstream

## Remediation

1. IMMEDIATE: Restrict access to security.alwaysdata.com — require authentication
2. IMMEDIATE: Block .git directory access at web server level
3. IMMEDIATE: Rotate exposed credentials (audit all 265 tasks)
4. SHORT-TERM: Disable public self-registration
5. SHORT-TERM: Update Flyspray (112 commits behind upstream)
6. MEDIUM-TERM: Implement proper CSP, add Secure/SameSite cookie flags

Showing tasks 1 - 2 of 2 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing