lovelace-website icon indicating copy to clipboard operation
lovelace-website copied to clipboard

Published 20 hours ago • verified publisher icon project-lovelace

Website not secured : Full root access

Open unrealwill opened this issue 3 years ago • 0 comments

Hello,

I managed to get complete access to your website in less than 10 lines of code.

As proof : logs of letsencrypt-nginx-proxy

"Info: running letsencrypt-nginx-proxy-companion version v2.0.2-3-ged07a99
Info: Custom Diffie-Hellman group found, generation skipped.
Reloading nginx proxy (nginx-proxy)...
2021/04/19 18:15:01 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2021/04/19 18:15:01 [notice] 62#62: signal process started
2021/04/19 18:15:03 Generated '/app/letsencrypt_service_data' from 6 containers
2021/04/19 18:15:03 Running '/app/signal_le_service'
2021/04/19 18:15:03 Watching docker events
2021/04/19 18:15:04 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
Reloading nginx proxy (nginx-proxy)...
2021/04/19 18:15:07 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
2021/04/19 18:15:07 [notice] 84#84: signal process started
Creating/renewal projectlovelace.net certificates... (projectlovelace.net)
[Mon Apr 19 18:15:09 UTC 2021] Domains not changed.
[Mon Apr 19 18:15:09 UTC 2021] Skip, Next renewal time is: Sun May 30 20:19:07 UTC 2021
[Mon Apr 19 18:15:09 UTC 2021] Add '--force' to force to renew.
Sleep for 3600s
Creating/renewal projectlovelace.net certificates... (projectlovelace.net)
[Mon Apr 19 19:15:11 UTC 2021] Domains not changed.
[Mon Apr 19 19:15:11 UTC 2021] Skip, Next renewal time is: Sun May 30 20:19:07 UTC 2021
[Mon Apr 19 19:15:11 UTC 2021] Add '--force' to force to renew.
Sleep for 3600s
Creating/renewal projectlovelace.net certificates... (projectlovelace.net)
[Mon Apr 19 20:15:13 UTC 2021] Domains not changed.
[Mon Apr 19 20:15:13 UTC 2021] Skip, Next renewal time is: Sun May 30 20:19:07 UTC 2021
[Mon Apr 19 20:15:13 UTC 2021] Add '--force' to force to renew.
Sleep for 3600s
Creating/renewal projectlovelace.net certificates... (projectlovelace.net)
[Mon Apr 19 21:15:15 UTC 2021] Domains not changed.
[Mon Apr 19 21:15:15 UTC 2021] Skip, Next renewal time is: Sun May 30 20:19:07 UTC 2021
[Mon Apr 19 21:15:15 UTC 2021] Add '--force' to force to renew.
Sleep for 3600s
Creating/renewal projectlovelace.net certificates... (projectlovelace.net)
[Mon Apr 19 22:15:17 UTC 2021] Domains not changed.
[Mon Apr 19 22:15:17 UTC 2021] Skip, Next renewal time is: Sun May 30 20:19:07 UTC 2021
[Mon Apr 19 22:15:17 UTC 2021] Add '--force' to force to renew.
Sleep for 3600s
"

Look for the string "class RCELogs" in your server logs if you want the exploit code.

If you need further help to understand the exploit I can answer here but it would publicly expose the vulnerability.

unrealwill avatar Apr 19 '21 23:04 unrealwill