App list doesn't work, but app grid does (v9.2.0)

@ekevu123 great report. Fixed in https://git.cloudron.io/platform/box/-/commit/c7b2e4d95e3ca00924d3ad11781303b479d787d8

This is fixed now. An error message saying File too large is displayed.

@dark thanks for your report. I looked into them. For transparency, here is our assessment.

All the reported issues require the attacker to already have an admin token / compromised admin password. All the issues below are not reproducible as a (compromised) normal user. Also. the issues were reproduced on the demo instance, which of course has the admin username/password displayed in public.

We found the report to be thorough and with clear explanation on how to reproduce the problems. From our side, we ack the bugs and have made the following fixes:

Problem: Full SSRF via applinks. This is about adding an internal IPs as an applink.
Our analysis: Linking to internal apps is a legitimate feature. An applink is fundamentally a bookmark and there's nothing wrong with pointing it at 192.168.1.50 or an internal app. Applinks REST response only returns label and icon not contents of a site. You can't really infiltrate EC2 metadata etc and neither can you make non GET requests.
Our fix: We have added a fix now to block server internal IPs like localhost and docker internal network.

Problem: SQL injection via dynamic column names. This is about being able to send arbitrary field names in the REST APIs.
Our analysis: Indeed, our query builders, should only use field names which are in the db and are part of an allow list.
Our fix: We have added allow list to all our model code

Problem: 2FA/TOTP BYPASS via skipTotpCheck: true
Our analysis: I think this is because the demo instance does not allow you to set a TOTP. It doesn't show an error currently when this happens and leads the user to believe an OTP was set. For the demo server, we can't allow users to set a TOTP because it will make it unsuable for others.
Our fix: We will show an error like we show in other places. But also, the password login routes have already been removed in Cloudron 10 (which is yet to be released). That route exists as a backward compat for the CLI. Cloudron only supports OIDC device auth for the CLI from Cloudron 10.

Problem: Stored XSS via branding footer
Our analysis: right. This issue has been present since ages and our demo instance always has someone putting some alert() or some stupid HTML in there periodically...
Our fix: We give in to the non-stop reports about this... We use dompurify now.

Thanks for the report again. Very clear and solid notes. I also took the chance to update https://www.cloudron.io/security.html and https://www.cloudron.io/.well-known/security.txt

Fixed in the latest package.

I broke it with the new release. Fix is coming...

@creative567145 good you bring it up. At least in my mind, the Cloudron catalog is not the "next step" in a community package's lifecycle. In some cases it might actively hamper the community package author. For example, if we were to take over @luckow 's packages from his recently announced package store, I am not sure how he feels (given he has invested much time and resources into this).

Maybe it makes sense for Cloudron team to take over when the package is popular and well in use but the community packager does not want to maintain anymore. This probably requires collection of some stats on package installs which we don't collect (but probably the packager can collect on their server to get a guesstimate).

Not sure how others perceive all this though, happy to collect some input here.

I have implemented this in Cloudron 10 . You can set the maxmemoryPolicy in the manifest.

This looks awesome Just signed up to try imapsync. I didn't now this had a web ui. We should probably update - https://docs.cloudron.io/guides/import-email#imapsync

• Sign up flow was obvious and everything worked
• Not clear what "Sanctum personal access tokens" is or why I need this . Is this for the protected docker registry?
• Ultimately, I could not install it for the same reason as @fbartels

was removed last month - https://git.cloudron.io/platform/box/-/commit/f30423f2bea267c0b4a5d0b87bae96157ac5f593 . Will be part of Cloudron 10.

Hi @luckow,
congrats on the launch!

What function does it serve that i need to add my Cloudron server in the settings and why does it go via the ip?

When installing two apps I am getting and error that it cannot pull from the registry:

Jun 02 21:14:30 tasks: setCompleted - 23938: {"result":null,"error":{"message":"Unable to pull image apps.safeserver.de/de.safeserver.openslides.cloudron:1.0.0. Please check the network or if the image needs authentication. statusCode: 401","reason":"Docker Error"},"percent":100}

Create and manage Sanctum personal access tokens.

I see you are using Laravel.