This repository has been archived by the owner on Mar 27, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 149
Security issue. Token leakage #255
Comments
Soooo. any suggestions for another UI that's not this one @anton00706 ? |
@reverendtimm the official one ? |
@JorisInsign noice. Thanks. |
|
There has been no response from a developer, nor has there been a commit since this issue was opened. So at this point, I don't even care if the issue is real. (Though I think it is). Clearly using Vault-UI to access (company) secrets is a no-go. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi.
Our security team tested your UI and found a vulnerability.
Here is a feedback from them:
Step-to-reproduce
Token leakage:
Access token stolen.
Internal resources access:
GET /v1/sys/capabilities-self?vaultaddr=https:%2F%2Fgit.wrke.in HTTP/1.1
Host: spb-off-vault01.team.wrike.com:8000
...
you got git.wrke.in content, but we assume, that attacker can no has access to it
Actual result
Token stolen, internal resources accessed
Expected result
No SSRF
Area of Responsibility
Other
Recommendation
Do not user input, take value of target host from configuration.
Currently in /src/vaultapi.js:
let vaultAddr = req.query.vaultaddr;
but should be something like this:
let vaultAddr =config['vaultaddr']
The text was updated successfully, but these errors were encountered: