docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon sismics

#Security Report

Open AkshayraviC09YC47 opened this issue 2 years ago • 11 comments

Hello maintainer i have reported few security vulnerabilities of sismics/doc via huntr.dev please check those reports, the hunter team admin mentioned that they were not able to reach you

Here are the report links: https://huntr.dev/bounties/504a3cfb-5c89-4964-9dff-755c49e5b190/ https://huntr.dev/bounties/2be10ae3-cd49-4446-9b24-931a2c338006/ https://huntr.dev/bounties/8cf26b11-c29c-4a22-947e-befecfabd2df/ https://huntr.dev/bounties/7b78cf91-3bd8-477e-b695-ae9228b785ba/

AkshayraviC09YC47 avatar Jul 19 '22 09:07 AkshayraviC09YC47

@archiloque @hukoeth @SerialVelocity @kazelot Hello maintainers, pls look into this, thanks

AkshayraviC09YC47 avatar Jul 27 '22 09:07 AkshayraviC09YC47

Hey @jendib i can confirm that those issues are true and should be fixed to have a more secure system. They pointed out some information like missing CSRF protection, bruteforcing passwords and so on :-O

vmario89 avatar Aug 07 '22 12:08 vmario89

Will there be a fix soon or is this repository inactive?

SamTV12345 avatar Aug 21 '22 18:08 SamTV12345

This project is not inactive, but it's open source so any contribution is welcome if you feel that you want a fix quickly.

jendib avatar Aug 21 '22 18:08 jendib

I would love to help fixing these issues. The problem is that they are only visible to maintainers of this repository. So nobody except the maintainers can actually fix listed issues.

SamTV12345 avatar Aug 21 '22 18:08 SamTV12345

@SamTV12345 Ok I didn't know about that. If you have some time you can work on the error message when an account doesn't exist in requesting a new password. It has to be done server side and not just on the label in the JS app. Everything is happening in UserResource.java method "passwordLost". We just need to return "status: ok" in every case and probably update the unit test and the JS frontend as well.

jendib avatar Aug 21 '22 19:08 jendib

It seems to be fixed: UserResource.java. They all return status ok everytime. I check out the js frontend tomorrow.

SamTV12345 avatar Aug 21 '22 20:08 SamTV12345

@SamTV12345 Your link points to the current code base? I see a throw new ClientException("UserNotFound", "User not found: " + username); so it's not fixed.

jendib avatar Aug 21 '22 23:08 jendib

@jendib @vmario89 @SamTV12345 @archiloque

Hello maintainers, if any of the identified vulnerabilities has been fixed, please mark them as valid/fixed on hunter.dev from above mentioned report link

AkshayraviC09YC47 avatar Aug 22 '22 03:08 AkshayraviC09YC47

I solved the first issue but it needs to merged into the main branch.

SamTV12345 avatar Aug 26 '22 11:08 SamTV12345

@SamTV12345 Hello maintainer, please mark the fixed report as valid on huntr.dev and resolved, then only my reputation will increase, and also add the patch(SHA),thanks

AkshayraviC09YC47 avatar Aug 26 '22 12:08 AkshayraviC09YC47