Insertion of Sensitive Information into Log File in gotify/server


Reported on

Sep 26th 2021


On OS level, the authorization token of the user is being logged, with the default docker installation.

Proof of Concept

1; Install the docker version of the software

2; Log in with any user

3; Observe the logs, and the following row is being displayed:

[GIN] 2021/09/26 - 19:34:52 | 200 | 654.694µs | | GET "/stream?token=C6B9MTgeJcaJatJ"

Please take a look at the following screenshot:

alt text


A privileged OS layer user is able to impersonate the web application users.

#Recommendation It is recommended to mask these values in the logs.

We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the gotify/server team and are waiting to hear back a year ago
gotify/server maintainer validated this vulnerability a year ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
gotify/server maintainer confirmed that a fix has been merged on 8affec a year ago
The fix bounty has been dropped
to join this conversation