mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-02-05 00:29:40 +03:00
Username field character restriction bypass leads to use username that resolves to existing file names on server and creates a never viewable profile #672
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @a1woareS on GitHub (Apr 2, 2020).
Description
Researchers can set their username from https://bitwarden.80db.nl/account However The username file has a character restriction what is The username field may only contain alpha-numeric characters. So no one can should set a username looks like robots.txt . But I got a way to achieve it what allows me to set username of a researcher what is never viewable .
Reproduce :
Visit https://airvpn.org/account and in * Username* field give any name and Update account button and capture the request with Burp suit tools
You will see a parameter named "username" whats value is your given value in username .
Now change "username" parameter value to robots.txt and it will look like "username":"robots.txt" [ You may not able to use robots.txt as it's already claimed by my test account so use robot.txt instead ]
Forward the request and now notice username value in https://bitwarden.80db.nl/account what should be robots.txt
Now when ever the user will submit a report from that profile it will show robots.txt submitted a report and when ever team member will click on the username to see the researchers profile they will not able to see it and through a 404 page if the file don't exist on server .
I have created a profile using this steps whats link is :-https://bitwarden.80db.nl/robots.txt
Request
Response
Impact
Attacker can create his account what is not viewable . Attacker can do this for many motive like . A program ban a researcher for any resone and don't want to add the researcher future . But attacker creates a profile which is never viewable and while the program admins invite the researcher or reviewing reports they want to verify the researchers details but it can't be done for this issue .
Remediation Advice
Don't allow users to use alpha-numeric characters in username and verify it properly from server side .
Regards
Alwoares
@jjlin commented on GitHub (Apr 2, 2020):
It's probable that English isn't your native language, but it's hard to understand what you really mean. Can you attach screenshots that demonstrate this issue?
@a1woareS commented on GitHub (Apr 8, 2020):
the user character i can set anything like phpinfo.php robots.txt
On Thu, Apr 2, 2020 at 2:10 PM Jeremy Lin notifications@github.com wrote:
@mqus commented on GitHub (Apr 9, 2020):
Could you detail "Whenever the user will submit a report", which report do you mean?
@a1woareS commented on GitHub (Apr 9, 2020):
I think you are not getting the report properly i will submit again To
Clear what i want to say
On Thu, 9 Apr 2020, 4:45 pm mqus, notifications@github.com wrote:
@BlackDex commented on GitHub (Sep 23, 2020):
@Alwoares is this still a (security) issue? Could you explain it better?
If you want you can explain it to me in dutch preferably via matrix/elements.io chat. If that is an issue for you then place it here and i will translate it.
@BlackDex commented on GitHub (Oct 9, 2020):
Closed the issue since not clear if this still is an issue.
Feel free to reopen if needed.