We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Insertion of Sensitive Information into Log File in gotify/server

Valid

Reported on

Sep 26th 2021

Description

On OS level, the authorization token of the user is being logged, with the default docker installation.

Proof of Concept

1; Install the docker version of the software

2; Log in with any user

3; Observe the logs, and the following row is being displayed:

[GIN] 2021/09/26 - 19:34:52 | 200 | 654.694µs | 89.135.196.67 | GET "/stream?token=C6B9MTgeJcaJatJ"

Please take a look at the following screenshot:

alt text

Impact

A privileged OS layer user is able to impersonate the web application users.

#Recommendation It is recommended to mask these values in the logs.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
We have contacted a member of the gotify/server team and are waiting to hear back 2 years ago
gotify/server maintainer validated this vulnerability 2 years ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
gotify/server maintainer marked this as fixed with commit 8affec 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation