SafeLine
SafeLine copied to clipboard
chaitin
[Bug] [Security] Vulnerability Report: Authentication Bypass in SafeLine WAF Management Interface
Content
Summary
A configuration-based authentication bypass vulnerability exists in the SafeLine WAF management interface that disables authentication when the NO_AUTH environment variable is set during deployment.
Vulnerability Details
Severity: Medium
CVSS Score: 6.6 (Medium)
CWE: CWE-287 (Improper Authentication)
Affected Component: SafeLine Management Web Server
Affected File: management/webserver/main.go
Description
The SafeLine management web server contains logic that bypasses authentication middleware when any NO_AUTH environment variable is present with a non-empty value . This appears to be intended for development or testing purposes but creates a potential security risk in production deployments.
Impact
If exploited through deployment configuration, this vulnerability would provide:
- Administrative access to protected API endpoints
- Control over website configuration and SSL certificate management
- Ability to modify WAF policy rules and security settings
Attack Scenarios
This vulnerability requires access to the deployment environment and is exploitable in these scenarios:
- Supply Chain Compromise: Malicious modification of deployment scripts or Docker Compose files
- Insider Threats: Intentional misuse by personnel with deployment access
- CI/CD Pipeline Compromise: Injection through compromised deployment pipelines
- Configuration Management Issues: Accidental inclusion in production deployments
Proof of Concept
# In Docker Compose deployment
environment:
- NO_AUTH=1
# Or via environment variable
export NO_AUTH=true
Recommended Fixes
Option 1: Complete Removal (Recommended)
Remove the authentication bypass logic entirely:
limitedRouters := r.Group("/api")
limitedRouters.Use(middleware.AuthRequired)
Option 2: Development Environment Restriction
If needed for development, restrict to development environments:
if os.Getenv("ENVIRONMENT") == "development" && os.Getenv("NO_AUTH") != "" {
logger.Warn("No auth - development mode only")
} else {
limitedRouters.Use(middleware.AuthRequired)
}
CVSS v3.1 Breakdown
- Attack Vector: Local (L) - requires deployment environment access
- Attack Complexity: Low (L) - simple configuration change
- Privileges Required: High (H) - needs deployment privileges
- User Interaction: None (N)
- Scope: Changed (C) - affects entire WAF system
- Impact: High (H) for confidentiality, integrity, and availability
Base Score: 6.6 (Medium)
Timeline
- Discovery Date: 28.09.2025
- Vendor Notification: 28.09.2025
References
- SafeLine Repository: https://github.com/chaitin/SafeLine
- CWE-287: https://cwe.mitre.org/data/definitions/287.html
Credit
Discovered by: Martin Aberastegue / Torito
Note: While this vulnerability requires privileged access to exploit, it represents a configuration security risk that should be addressed to maintain defense-in-depth principles for a security product.
Citations
File: management/webserver/main.go (L162-167)
noAuth, existed := os.LookupEnv("NO_AUTH")
if existed && len(noAuth) >= 0 {
logger.Warn("No auth")
} else {
limitedRouters.Use(middleware.AuthRequired)
}
File: management/webserver/main.go (L174-188)
limitedRouters.GET(api.User, api.GetUser)
limitedRouters.GET(api.DetectLogList, api.GetDetectLogList)
limitedRouters.GET(api.DetectLogDetail, api.GetDetectLogDetail)
limitedRouters.POST(api.Website, api.PostWebsite)
limitedRouters.PUT(api.Website, api.PutWebsite)
limitedRouters.DELETE(api.Website, api.DeleteWebsite)
limitedRouters.GET(api.Website, api.GetWebsite)
limitedRouters.POST(api.UploadSSLCert, api.PostUploadSSLCert)
limitedRouters.POST(api.SSLCert, api.PostSSLCert)
limitedRouters.POST(api.PolicyRule, api.PostPolicyRule)
limitedRouters.PUT(api.PolicyRule, api.PutPolicyRule)
