Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in tildeclub/site

Valid

Reported on

Sep 13th 2021


✍️ Description

The file signup-handler.php creates a user by accepting input from request parameters username, email, interest, sshkey. The affected parameter is sshkey. It does not sanitizes special characters and only checks if the first 4 character of the input is ssh- which allows the signup entries in /var/signups to be malformed using special characters {, }

In particular, it is possible to control the input sshkey to ssh-%20anything%7D%22%0Amakeuser%20%7Badmin%7D%20%7Bmyemail%40asdasd.asd%7D%20%22%7BMySSHkey to create a user name, such as admin, in the array forbidden_name.

Remedation

Perform input validation in sshkey 📍 Location signup-handler.php#L102 signup-handler.php#L75

We have contacted a member of the tildeclub/site team and are waiting to hear back 3 months ago
Viky modified their report
3 months ago
Viky modified their report
3 months ago
Viky modified their report
3 months ago
tildeclub/site maintainer validated this vulnerability 2 months ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
tildeclub/site maintainer confirmed that a fix has been merged on 09f103 2 months ago
The fix bounty has been dropped