|
337 | Closed | [ALW-001] Flyspray .git Directory Fully Exposed on secu ... | ahmedsss2233 |
Task Description
Severity: HIGH
Target: security.alwaysdata.com
Affected URL: https://security.alwaysdata.com/.git/
## Description
The deployed Flyspray instance (this very bug-tracker) exposes its entire `.git` directory under the document root. The directory listing is disabled, but the well-known internal files are individually readable, which is enough to reconstruct the full source tree, every commit message, every author email, and every credential ever committed to the repository. (Title shortened from "…Source Tree, Admin Email, Commit History" — the original 117-char summary exceeded the 100-char column limit and triggered an INSERT error.)
## Steps to Reproduce (manual, no scanner)
```
curl -s https://security.alwaysdata.com/.git/HEAD curl -s https://security.alwaysdata.com/.git/config curl -s https://security.alwaysdata.com/.git/logs/HEAD curl -s https://security.alwaysdata.com/.git/index -o /tmp/index ; file /tmp/index
```
`HEAD` returns the current branch ref, `config` returns the repository configuration, and `logs/HEAD` returns the full reflog including author names and emails. From there, `git clone` against the exposed directory or a manual `git-cat-file` walk reconstructs ~941 reachable objects and the complete deployed source code (including any locally-applied patches).
## Impact
* Full source-code disclosure of the production Flyspray that hosts the bug-bounty program itself.
* Disclosure of admin / committer email addresses and real names from commit metadata.
* Any secret accidentally committed (DB credentials, API tokens, signing keys) is recoverable from history even if removed from `HEAD`.
* Combined with ALW-007 (no rate-limiting on the Flyspray login) and ALW-015 (weak integer CSRF), this gives an attacker a precise roadmap to compromise the bug-bounty intake and read every other researcher's unredacted submissions.
## Remediation
Block the directory at the web server level, e.g. for Apache:
```
<DirectoryMatch "/\.git">
Require all denied
</DirectoryMatch>
```
or for nginx:
```
location ~ /\.git { deny all; return 404; }
```
Then remove the `.git` directory from the document root entirely and deploy via a build artifact or `git archive` rather than a working copy.
— Reported by: Ahmed Said (asame8855@gmail.com)
Tested manually per program rules — no automated scanners used.
|
|
336 | Closed | [ALW-015] Flyspray CSRF Token is a Plain Integer with L ... | ahmedsss2233 |
Task Description
Severity: LOW
Target: security.alwaysdata.com
Affected element: `<input type="hidden" name="csrftoken" value="…">` on every form (registration, task creation, comments, edits)
## Description
Flyspray emits its CSRF token as a plain decimal integer of around 9–10 digits, giving roughly `log2(10^10) ≈ 33` bits of entropy. That is dramatically weaker than the 256-bit cryptographic token Django emits on `admin.alwaysdata.com` for the same protection class, and it is potentially predictable depending on how the token is seeded.
## Steps to Reproduce
```
curl -s https://security.alwaysdata.com/register \
| grep -oE 'name="csrftoken" value="[0-9]+"'
# → name="csrftoken" value="852018639"
# Compare with Django on admin.alwaysdata.com (any form):
# csrfmiddlewaretoken=qzNI2DZ0UfLVc7VRvdUw… # (64 random characters, cryptographic)
```
## Impact
* Brute-forcing a 10-digit integer over the network is well within reach of a determined attacker (10¹⁰ ≈ a few weeks at conservative request rates with no rate limiting — see ALW-007).
* If the integer is derived from a predictable seed (PHP `mt_rand` without proper seeding, timestamp, etc.) the search space collapses further.
* Combined with ALW-009 (no `SameSite` on the session cookie) the CSRF defense layer becomes paper-thin: a malicious page can both replay the cookie and guess the token in feasible time.
## Remediation
* Replace the token generator with a cryptographically random string. In PHP: `bin2hex(random_bytes(32))` (256 bits, 64 hex characters).
* Use a per-session token, rotated on login and on privilege change, not a long-lived global one.
* Validate the token in constant time (`hash_equals`) to avoid timing leaks.
* For Flyspray 1.0-rc11 specifically, patch `make_csrf_token()` in `includes/class.flyspray.php` to call `bin2hex(random_bytes(32))`.
— Reported by: Ahmed Said (asame8855@gmail.com) — manual testing only.
|
|
335 | Closed | [ALW-011] Flyspray Attachments Downloadable via Sequent ... | ahmedsss2233 |
Task Description
Severity: MEDIUM
Target: security.alwaysdata.com
Affected endpoint: `GET https://security.alwaysdata.com/index.php?getfile={id}`
## Description
Flyspray attachments — i.e. proof-of-concept files researchers attach to security reports — are downloadable by anyone with a sequential integer ID and no authentication. The four currently-live attachments (IDs 1–4) returned 200 OK with the underlying PoC PDFs and PNGs without any session cookie. IDs 5–11 returned 410 Gone (deleted), which also leaks prior-existence.
## Steps to Reproduce
```
for i in 1 2 3 4 5 6 7 8 9 10 11; do
printf 'id=%-2s ' "$i"
curl -sI "https://security.alwaysdata.com/index.php?getfile=$i" \
| grep -E '^(HTTP|content-type|content-length):' \
| tr '\n' ' '
echo
done
# id=1 HTTP/1.1 200 OK content-type: application/pdf content-length: 115873
# id=2 HTTP/1.1 200 OK content-type: application/pdf content-length: 164813
# id=3 HTTP/1.1 200 OK content-type: image/png content-length: 39503
# id=4 HTTP/1.1 200 OK content-type: image/png content-length: 141632
# id=5..11 HTTP/1.1 410 Gone
```
No session cookie was sent. The response body contains the original PoC file in full.
## Impact
* Any unredacted PoC, screenshot, or credential a previous researcher attached is publicly readable just by walking the integer counter.
* Even when the parent task is later restricted or redacted in the UI, the raw attachment stays exposed at the same `?getfile=ID` URL.
* The 410-vs-200 differential also leaks the existence of every deleted attachment, which can be used to bound the total volume of historical PoCs.
## Remediation
* Require an authenticated session and a project-membership / task-visibility check before serving `getfile`.
* Replace the integer ID with a non-guessable token (UUIDv4 or HMAC-signed hash bound to the user + task).
* Return HTTP 404 (not 410) for deleted attachments to avoid confirming prior existence.
* Audit the four currently-public attachments (IDs 1–4) and re-issue them under restricted URLs if they contain unredacted PoC material.
— Reported by: Ahmed Said (asame8855@gmail.com) — manual testing only, downloads not redistributed.
|
|
334 | Closed | [ALW-010] Flyspray CSP Allows unsafe-inline and unsafe- ... | ahmedsss2233 |
Task Description
Severity: MEDIUM
Target: security.alwaysdata.com
Affected response header: `Content-Security-Policy`
## Description
The Content-Security-Policy returned by every Flyspray response on `security.alwaysdata.com` includes both `'unsafe-inline'` and `'unsafe-eval'` in `script-src`. With both directives in place, CSP provides effectively zero mitigation against XSS — any future injection sink (task title, comment, custom field) executes immediately.
## Steps to Reproduce
```
curl -sI https://security.alwaysdata.com/ | grep -i content-security-policy
# → content-security-policy: default-src 'none'; img-src 'self'; font-src 'self';
# style-src 'self' 'unsafe-inline';
# script-src 'self' 'unsafe-inline' 'unsafe-eval'; ← weak
# connect-src 'self'
```
## Impact
* Any future XSS in Flyspray (task description, comment body, attachment filename, custom field) executes despite CSP.
* `'unsafe-eval'` allows `eval()`, `new Function(string)`, `setTimeout(string, …)`, and `setInterval(string, …)` payloads — enabling attacker-controlled string execution.
* Especially impactful given the bundled libraries (Prototype.js 1.7, script.aculo.us 1.9.0) which are old enough to have known XSS sinks.
## Remediation
* Remove `'unsafe-inline'` from `script-src` and replace with a per-response nonce (`script-src 'self' 'nonce-XYZ'`); add the same nonce to every server-rendered `<script>` tag.
* Remove `'unsafe-eval'` after refactoring any `eval(string)` / `new Function(string)` / `setTimeout(string, …)` / `setInterval(string, …)` call sites in the bundled JS (Prototype/scriptaculous).
* Ideally also tighten `style-src` away from `'unsafe-inline'` once template inline styles are migrated to a stylesheet.
— Reported by: Ahmed Said (asame8855@gmail.com) — manual testing only.
|
|
333 | Closed | [ALW-009] Flyspray Session Cookie Missing Secure and Sa ... | ahmedsss2233 |
Task Description
Severity: MEDIUM
Target: security.alwaysdata.com
Affected response header: `Set-Cookie` on every authenticated response
## Description
The Flyspray session cookie is set with `HttpOnly` only — both the `Secure` flag and the `SameSite` attribute are missing. This is a measurable regression compared to alwaysdata's Django stack on `admin.alwaysdata.com`, which correctly sets `Secure; SameSite=Lax` on its session cookie.
## Steps to Reproduce
```
curl -sI https://security.alwaysdata.com/ | grep -i set-cookie
# → Set-Cookie: flyspray=<sessionid>; path=/; HttpOnly
# (no Secure, no SameSite)
# Compare admin.alwaysdata.com (correct):
curl -sI https://admin.alwaysdata.com/ | grep -i set-cookie
# → Set-Cookie: csrftoken=…; Path=/; SameSite=Lax; Secure
```
## Impact
* The session cookie will be transmitted in plaintext if the user is ever forced onto an HTTP origin (downgrade / hostile coffee-shop network / user typing the domain without https).
* Without `SameSite`, third-party sites can include this domain via top-level navigation or cross-site POST and the cookie is attached, removing CSRF defense-in-depth.
* On a subdomain that hosts user-supplied attachments (see ALW-011), the missing `SameSite` is meaningful.
## Remediation
In Flyspray's session configuration set both flags:
```
# php.ini or .htaccess
session.cookie_secure = 1
session.cookie_samesite = "Lax"
session.cookie_httponly = 1
```
Final header should look like:
```
Set-Cookie: flyspray=<sessionid>; path=/; HttpOnly; Secure; SameSite=Lax
```
— Reported by: Ahmed Said (asame8855@gmail.com) — manual testing only.
|
|
332 | Closed | [ALW-007] Flyspray Login Endpoint Has No Rate Limiting ... | ahmedsss2233 |
Task Description
Severity: MEDIUM
Target: security.alwaysdata.com
Affected endpoint: `POST https://security.alwaysdata.com/index.php?do=authenticate`
## Description
The Flyspray login endpoint at `security.alwaysdata.com` does not implement any form of brute-force protection: no progressive delay, no per-IP throttling, no per-account lockout, and no CAPTCHA after repeated failures. Because this is the same Flyspray instance that hosts every researcher's confidential bug-bounty submissions, brute-forcing an analyst account is a direct path to compromising the entire program intake.
## Steps to Reproduce
```
# Five consecutive bad-password attempts against a known-existing username
for i in 1 2 3 4 5; do
curl -s -o /dev/null -w '%{http_code}\n' \
-X POST 'https://security.alwaysdata.com/index.php?do=authenticate' \
-d 'user_name=admin&password=wrong'
done
# → 303
# → 303
# → 303
# → 303
# → 303
```
No lockout, no CAPTCHA, no slowdown. (Stopped at 5 to comply with the program's "do not damage production" rule.) Combined with ALW-006 / FS#329 (already-known username enumeration via `searchnames.php`), an attacker has a complete brute-force pipeline.
## Impact
* Brute-force attacks against analyst, admin, and researcher accounts are feasible from a single source.
* Compromise of an analyst account would expose every researcher's unredacted submission and PoC attachments — the most damaging possible outcome on this asset.
* Increases the impact of ALW-009 (insecure cookie) and ALW-015 (weak CSRF token) by enabling pre-conditions for full account takeover.
## Remediation
* Add progressive delay after 3 failed attempts (e.g. exponential backoff up to 60 s).
* Show a CAPTCHA after 5 failed attempts (per IP and per username).
* Lock the target account (or send an admin alert) after 10 failed attempts in a short window.
* Deploy fail2ban with a jail tailing the Flyspray auth log to ban IPs at the firewall after sustained abuse.
* Consider upgrading from Flyspray 1.0-rc11 to a version with built-in rate-limiting hooks.
— Reported by: Ahmed Said (asame8855@gmail.com) — manual testing only, capped at 5 attempts.
|
|
331 | Closed | [ALW-005] Password-Reset Differential Response Enables ... | ahmedsss2233 |
Task Description
Severity: MEDIUM
Target: admin.alwaysdata.com
Affected endpoint: `POST https://admin.alwaysdata.com/password/lost/`
## Description
The password-reset endpoint returns a different HTTP status (and different body) depending on whether the submitted email belongs to a real account, allowing unauthenticated enumeration of valid alwaysdata user emails.
## Steps to Reproduce
```
# Existing account — redirected to the success page
curl -i -X POST https://admin.alwaysdata.com/password/lost/ \
H 'Content-Type: application/x-www-form-urlencoded' \
-data 'email=cbay@alwaysdata.com'
# → HTTP/1.1 302 Found
# → Location: /password/sent/
# Non-existent account — form re-rendered with no redirect
curl -i -X POST https://admin.alwaysdata.com/password/lost/ \
H 'Content-Type: application/x-www-form-urlencoded' \
-data 'email=nonexistent9999@example.com'
# → HTTP/1.1 200 OK
# → (form HTML re-rendered, no redirect)
```
The 302→/password/sent/ vs 200 differential is observable from a single unauthenticated request and was not rate-limited during testing.
## Impact
* Confirms whether an arbitrary email address has an alwaysdata account.
* Enables targeted phishing and credential-stuffing campaigns against confirmed-real customer accounts.
* Combined with ALW-007 (no rate-limiting on the related Flyspray login) and ALW-006 / FS#329 (Flyspray username enumeration), feeds a chain ending in account-takeover attempts.
## Remediation
* Always return the same response (302 → `/password/sent/` with a generic "if an account exists with that email, a reset link has been sent" page) regardless of whether the email matched.
* Rate-limit the endpoint per source IP and per email (e.g. 5 requests / hour / address).
* Add CAPTCHA after 3 failed attempts.
— Reported by: Ahmed Said (asame8855@gmail.com) — manual testing only.
|
|
330 | Closed | [ALW-003] Registration Token Still Leaks to Matomo — In ... | ahmedsss2233 |
Task Description
Severity: HIGH
Target: admin.alwaysdata.com (registration flow → outbound to tracker.alwaysdata.com)
## Description
The original FS#311 fix was supposed to strip the registration token from URLs sent to Matomo. The current implementation still forwards token-derived parameters (`user_id`, `expires`) in the analytics request, so the Matomo back-end (and anyone with read-access to the dashboard) can still correlate a token-holder to their account-creation event.
## Steps to Reproduce
1. Open browser devtools (Network tab) and visit https://admin.alwaysdata.com/account/create/ 2. Complete the registration flow up to the point where the confirmation token is shown in the URL.
3. Filter the Network panel by `tracker.alwaysdata.com`.
4. Inspect the outbound `/matomo.php` (or `/piwik.php`) tracking request — `url=` / `urlref=` / `action_name` still contain `user_id=` and `expires=` values bound to the registration token, even though the bare token string itself was redacted by the FS#311 patch.
## Impact
* The mitigation for FS#311 is incomplete — the parameters that uniquely identify the registration token are still observable to Matomo.
* Anyone with Matomo read-access can correlate a tracking event to a specific account-creation flow.
* Defeats the trust assumption that registration data does not leave alwaysdata's auth boundary.
## Remediation
Before calling `piwik.trackPageView()` on the registration page, normalise the URL passed to Matomo — strip the entire querystring/hash:
```js
piwik.setCustomUrl(window.location.origin + window.location.pathname);
piwik.setReferrerUrl('');
```
Verify with a manual reproduction that no `user_id`, `expires`, or other token-derived parameter reaches `tracker.alwaysdata.com`.
— Reported by: Ahmed Said (asame8855@gmail.com) — manual testing only.
Related: FS#311 (partial fix).
|
