Directory listing in multiple endpoints in nilsteampassnet/teampass

Valid

Reported on

Jun 10th 2023

Description

Teampass has directory listing by default for various endpoints that eventually discloses application-specific and user data and files.

Proof of Concept

Visit the following endpoint without logging in to the application.

Sensitive

https://127.0.0.1/includes (configs)
https://127.0.0.1/upload (Uploaded files)
https://127.0.0.1/files (Contains .sql file)

Miscellaneous

https://127.0.0.1/api/Controller
https://127.0.0.1/api/Model
https://127.0.0.1/api/inc
https://127.0.0.1/pages
https://127.0.0.1/sources
https://127.0.0.1/plugins
https://127.0.0.1/scripts

Note

This could be fixed using the server configuration itself but it is better to do it in the application level as well as there are many teampass installations on the internet that are exposing their data publicly as shown in the image below. This could be fixe simply by adding a blank index.php pages in the directories.

Impact

Sensitive files can be accessed by attackers. Here's a real-world example:

References

CWE MITRE

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 3 months ago

We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 3 months ago

Nils Laumaillé validated this vulnerability 2 months ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nils Laumaillé marked this as fixed in 3.0.10 with commit e9f90b 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Nils Laumaillé published this vulnerability 2 months ago

Nils Laumaillé gave praise 2 months ago

thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation