panel
panel copied to clipboard
pterodactyl
Users gets placed into other's account
Current Behavior
Today every user got placed into one customer's account including me too (admin). This happened before while we tested this, and was not able to recreate this issue, it seems happening randomly. Is this some well known issue, or unknow? Also worth mentioning i have "stellar" theme installed.
Expected Behavior
The expected is to not put everyone into one user's account, obviously.
Steps to Reproduce
Install stellar theme Have multiple users registered Log in Close the page Open the panel again (it happens rarely, but if someone gets into one of the admin's account, thats a serious vulnerability i think)
Panel Version
1.11.7
Wings Version
1.11.13
Games and/or Eggs Affected
No response
Docker Image
No response
Error Logs
No response
Is there an existing issue for this?
- [X] I have searched the existing issues before opening this issue.
- [X] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
- [X] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
Steps to Reproduce Install stellar theme
Are you able to reproduce this issue with no modifications made to Pterodactyl's source code?
If not, it's an issue either with your installation of the theme or the theme it's self and thus you should contact the theme author.
This is likely an issue with your modification, or some kind of proxy or other component specific to your setup that is misbehaving.
Nobody else has ever reported anything like this happening.
Do you have any layer7 protection installed on your system? Also, are you behind proxy or Cloudflare?
I can consistently recreate this issue. It seems to me like pterodactyl trusts source ip too much. I have an unmodified install.
Sequence:
- Log in as a user "A"
- From the same external ip, for example by being in the same wifi, vpn or behind the same cg-nat (and such): open the login form on a different computer, and try to log in as user "B".
- If pterodactyl panel answers with "error, could not log in", reloading the page with F5 logs in as user A, skipping password and 2fa.
- logging out logs the user from device in step 1 as well.
- Attempting the steps again the problem does not seem to occur. I'm still investigating triggers.
I discovered this the first time when I had created an account for a family member (leaving the password field empty, such that they would set it up from the email). My family member had trouble setting the password (it gave an error) but then when the browser was F5:d he suddenly was logged in on my admin account, skipping password or 2fa.
Does pterodactyl not use a session in the browser? A cookie? I don't understand how this is possible even if a reverse proxy is incorrectly setup.
I can consistently recreate this issue. It seems to me like pterodactyl trusts source ip too much. I have an unmodified install.
Sequence:
- Log in as a user "A"
- From the same external ip, for example by being in the same wifi, vpn or behind the same cg-nat (and such): open the login form on a different computer, and try to log in as user "B".
- If pterodactyl panel answers with "error, could not log in", reloading the page with F5 logs in as user A, skipping password and 2fa.
- logging out logs the user from device in step 1 as well.
- Attempting the steps again the problem does not seem to occur. I'm still investigating triggers.
I discovered this the first time when I had created an account for a family member (leaving the password field empty, such that they would set it up from the email). My family member had trouble setting the password (it gave an error) but then when the browser was F5:d he suddenly was logged in on my admin account, skipping password or 2fa.
Does pterodactyl not use a session in the browser? A cookie? I don't understand how this is possible even if a reverse proxy is incorrectly setup.
Could you provide a screenshot featuring this error, could not log in message?
As I do not recognise this specific phrase as an error message (For example, do you mean the simple No account matching those credentials could be found?)
I take it back that I can reproduce it consistently. It happened twice in a row, but I spent some time trying to recreate it now after the new year but failing with my three attempts so far.
The error message was just me saying what i remember the point of the message was, I was not looking for the bug so I wasn't keeping close attention.
I am 100% sure my family member got placed into my admin account, and that I got logged into his the second time. But times the login failed for some reason. But its annoying me quite a lot that I cant recreate it. Nothing has changed server side, not at the proxy since it occurred. It seems like it needs to be in some specific state or something..
What is even more weird id that the acc activity logs do not contain mixed user agents in the login events. I have only logged in from firefox on linux, the family member from firefox on windows, but the activity logs for the user account are only windows user agent, and admin account only linux.. But there are login events at the times the "account swap" happened, just stating it was from the original user agent.
It was caused by a badly configured reverse proxy. Using Nginx Proxy Manager, i turned on the "cache assets" setting for the panel, and i guess the proxy cached the sessions too (somehow) and logged in customers into my admin account. Turning it off resolved the issue. (i turned it off the same day i reported this "vulnerability", so nothing bad happened.)
The first request after login that sets the session cookies specifies no-cache, so no reverse proxy should cache those. Either the reverse proxy is ignoring that, or there exists some situation where the cookies are being sent on a request where no-cache is not specified.. I don't think using cache is a badly configured proxy, and it is nice if it can cache static assets like images, fonts and js for example.
I see the session and xrf tokens get refreshed periodically, I assume pterodactyl is using some automatic refresh scheme with remember web as the refresh token.
Considering the cases it triggered for me, maybe there is some error code response that gets cached (because of no no-cache) that for some reason can include the session-related cookies? I.e. that to trigger the error both accounts must trigger an fault at login?