Security bug that allow unauthorized access
-
I want to report a serious security bug that allow unauthorized access to someones else account.
Description:
The password change option generates a password change link, with doesn't verify neither the old password, nor the 2FA(if enabled) and allow to change the other user's password and then access that profile.
-
@mcgiwer The right workflow is responsible disclosure. Please take a look at https://www.cloudron.io/security.html
-
@nebulon I mean the place where all users are listed.
There is a risk that the password change may become missused to gain unauthorized access to someone else account. All because the fact that the password change form doesn't ask for neither old password, or 2FA key (if it's enabled for the user).
The best example of that is visible in the online demo
-
@mcgiwer said in Security bug that allow unauthorized acceds:
@nebulon I mean the place where all users are listed.
Surely only Admins (who - on purpose - can very easily impersonate anyone anyway) are the only people who can access that page anyway?
-
@mcgiwer said in Security bug that allow unauthorized acceds:
All because the fact that the password change form doesn't ask for neither old password,
It's meant to change the password presumably because you forgot the old password. So, it can't ask for the old password.
or 2FA key (if it's enabled for the user).
I can't reproduce this. If the user had 2FA setup, the password reset link requires 2FA. Can you tell me which version of Cloudron you are using? I am testing on 7.6.4.
-
On second thoughts, I will mark this issue as 'resolved' here. If you can send us a detailed report to security@cloudron.io , would be much appreciated.
edit: i actually see that you already reported this there. Thanks, let's follow up there.
-
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
-
G girish locked this topic on
