ihatemoney icon indicating copy to clipboard operation
ihatemoney copied to clipboard

Published 20 hours ago verified publisher icon spiral-project

Different behaviors while directly visit project URLs

Open nevercodecorrect opened this issue 1 year ago • 3 comments

Hello, An attacker could know what are the projects exist by simply brute-force checking localhost:8080/testproject. If the returned page is authenticator then he knows the project exist as if the project does not exist, the returned page will be create project page. It also applies to the user/bill index. The returned page are different and the index is easy to guess. All those trials does need any login/priveledge at all.

nevercodecorrect avatar Jan 03 '24 07:01 nevercodecorrect

You're correct, thanks for bringing this up. I believe it's a tradeoff we're doing right now, to ease the life of the users.

Some more context:

  • the id of the project is not secret, and is not shared with other services, so for instance a leak of a database wouldn't be usable with other leaked databases (like we see for usernames/emails)

Mitigations:

  • We have a protection in place for logins, but only used for /admin, so I wonder if we should also protect other resources, and if that would be enough to mitigate this.
  • Always present the authenticator page, even when the project doesn't exist.
  • Never present the authenticator page, even when the project exists, and always redirect to the front page.

What do you think?

almet avatar Jan 03 '24 16:01 almet

We want to display the authentication page in all cases, and ideally merge the project creation form with the one from the homepage.

almet avatar Apr 28 '24 15:04 almet

Sorry for the late reply, that would be better in term of security,

nevercodecorrect avatar May 07 '24 15:05 nevercodecorrect