Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in tildeclub/site

Valid

Reported on

Sep 13th 2021

✍️ Description

The file signup-handler.php creates a user by accepting input from request parameters username, email, interest, sshkey. The affected parameter is sshkey. It does not sanitizes special characters and only checks if the first 4 character of the input is ssh- which allows the signup entries in /var/signups to be malformed using special characters {, }

In particular, it is possible to control the input sshkey to ssh-%20anything%7D%22%0Amakeuser%20%7Badmin%7D%20%7Bmyemail%40asdasd.asd%7D%20%22%7BMySSHkey to create a user name, such as admin, in the array forbidden_name.

Remedation

Perform input validation in sshkey 📍 Location signup-handler.php#L102 signup-handler.php#L75

We have contacted a member of the tildeclub/site team and are waiting to hear back 2 years ago

Viky modified the report

2 years ago

Viky modified the report

2 years ago

Viky modified the report

2 years ago

A tildeclub/site maintainer validated this vulnerability 2 years ago

Viky has been awarded the disclosure bounty

The fix bounty is now up for grabs

A tildeclub/site maintainer marked this as fixed with commit 09f103 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the tildeclub/site team and are waiting to hear back 2 years ago

Viky modified the report

2 years ago

Viky modified the report

2 years ago

Viky modified the report

2 years ago

A tildeclub/site maintainer validated this vulnerability 2 years ago

Viky has been awarded the disclosure bounty

The fix bounty is now up for grabs

A tildeclub/site maintainer marked this as fixed with commit 09f103 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation