Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical API Vulnerability #2542

Closed
sticks221 opened this issue Feb 8, 2019 · 1 comment
Closed

Critical API Vulnerability #2542

sticks221 opened this issue Feb 8, 2019 · 1 comment

Comments

@sticks221
Copy link

Steps to reproduce

  1. Collect your personal API key (from within the "Your personal information" window)
  2. Make an API call using a guessed item ID by opening a browser and entering https://[SERVERNAME]/api/index.php/read/items/[ITEM ID]?apikey=[API KEY]
  3. You will see the item data and password regardless of your permissions within the application

Expected behaviour

Access should be denied to any user API key that wouldn't normally have access to the item

Actual behaviour

The user is able to see absolutely any item in the system. A simple few line script could collect every credential in the system even if none are supposed to be permitted

Server configuration

Operating system: Linux srvtp01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64

Web server: Apache/2.4.18 (Ubuntu)

Database: 5.7.25-0ubuntu0.16.04.2

PHP version: 7.0.32-0ubuntu0.16.04.1

Teampass version: 2.1.27.11

Teampass configuration file:

'max_latest_items' => '10',
'enable_favourites' => '1',
'show_last_items' => '1',
'enable_pf_feature' => '0',
'log_connections' => '1',
'log_accessed' => '1',
'time_format' => 'H:i:s',
'date_format' => 'd/m/Y',
'duplicate_folder' => '0',
'item_duplicate_in_same_folder' => '0',
'duplicate_item' => '0',
'number_of_used_pw' => '3',
'manager_edit' => '1',
'cpassman_dir' => '/var/www/html/teampass',
'cpassman_url' => 'https://<anonym_url>
'favicon' => 'https://<anonym_url>/favicon.ico',
'path_to_upload_folder' => '/var/www/html/teampass/upload',
'url_to_upload_folder' => 'https://<anonym_url>/upload',
'path_to_files_folder' => '/var/www/html/teampass/files',
'url_to_files_folder' => 'https://<anonym_url>/files',
'activate_expiration' => '0',
'pw_life_duration' => '0',
'maintenance_mode' => '0',
'enable_sts' => '0',
'encryptClientServer' => '1',
'cpassman_version' => '2.1.27',
'ldap_mode' => '1',
'ldap_type' => 'windows',
'ldap_suffix' => '@xxxxx',
'ldap_domain_dn' => 'dc=xxxx',
'ldap_domain_controler' => 'xxxx',
'ldap_user_attribute' => '0',
'ldap_ssl' => '0',
'ldap_tls' => '0',
'ldap_elusers' => '0',
'ldap_search_base' => '0',
'ldap_port' => '389',
'richtext' => '0',
'allow_print' => '0',
'roles_allowed_to_print' => '6',
'show_description' => '1',
'anyone_can_modify' => '0',
'anyone_can_modify_bydefault' => '0',
'nb_bad_authentication' => '0',
'utf8_enabled' => '1',
'restricted_to' => '0',
'restricted_to_roles' => '0',
'enable_send_email_on_user_login' => '0',
'enable_user_can_create_folders' => '1',
'insert_manual_entry_item_history' => '0',
'enable_kb' => '0',
'enable_email_notification_on_item_shown' => '0',
'enable_email_notification_on_user_pw_change' => '0',
'custom_logo' => '',
'custom_login_text' => '',
'default_language' => 'english',
'send_stats' => '0',
'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;',
'send_stats_time' => '1518013659',
'get_tp_info' => '1',
'send_mail_on_user_login' => '0',
'nb_items_by_query' => 'auto',
'enable_delete_after_consultation' => '0',
'enable_personal_saltkey_cookie' => '0',
'personal_saltkey_cookie_duration' => '31',
'email_smtp_server' => 'xxxx',
'email_smtp_auth' => '',
'email_auth_username' => '',
'email_auth_pwd' => '',
'email_port' => '25',
'email_security' => '',
'email_server_url' => '',
'email_from' => 'noreply@teampass.xxxx',
'email_from_name' => 'TeamPass Server',
'pwd_maximum_length' => '40',
'google_authentication' => '0',
'delay_item_edition' => '0',
'allow_import' => '0',
'proxy_ip' => 'nxxxx',
'proxy_port' => '9480',
'upload_maxfilesize' => '10mb',
'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx',
'upload_imagesext' => 'jpg,jpeg,gif,png',
'upload_pkgext' => '7z,rar,tar,zip',
'upload_otherext' => 'sql,xml',
'upload_imageresize_options' => '1',
'upload_imageresize_width' => '800',
'upload_imageresize_height' => '600',
'upload_imageresize_quality' => '90',
'use_md5_password_as_salt' => '0',
'ga_website_name' => 'TeamPass for ChangeMe',
'api' => '1',
'subfolder_rights_as_parent' => '1',
'show_only_accessible_folders' => '1',
'enable_suggestion' => '1',
'otv_expiration_period' => '7',
'default_session_expiration_time' => '15',
'duo' => '0',
'enable_server_password_change' => '0',
'ldap_object_class' => '0',
'bck_script_path' => '/var/www/html/teampass/backups',
'bck_script_filename' => 'bck_teampass',
'syslog_enable' => '1',
'syslog_host' => 'xxxx',
'syslog_port' => '514',
'manager_move_item' => '0',
'create_item_without_password' => '0',
'otv_is_enabled' => '0',
'agses_authentication_enabled' => '0',
'item_extra_fields' => '0',
'saltkey_ante_2127' => 'none',
'migration_to_2127' => 'done',
'files_with_defuse' => 'done',
'timezone' => 'UTC',
'enable_attachment_encryption' => '1',
'personal_saltkey_security_level' => '50',
'ldap_new_user_is_administrated_by' => '6',
'disable_show_forgot_pwd_link' => '0',
'offline_key_level' => '60',
'enable_http_request_login' => '0',
'ldap_and_local_authentication' => '0',
'ldap_allowed_usergroup' => 'UG_ICT_TeamPass',
'ldap_new_user_role' => '',
'copy_to_clipboard_small_icons' => '1',
'settings_offline_mode' => '1',
'enable_massive_move_delete' => '0',
'tree_counters' => '0',
'teampass_version' => '2.1.27',
);

Updated from an older Teampass or fresh install:

Client configuration

Browser: Any

Operating system: Windows Server 2008 R2 / 7 - 64bits

Logs

Web server error log

Undefined index: path - /var/www/html/teampass/sources/main.queries.php (1270)

Teampass 10 last system errors

 * 18/05/2018 08:17:44 - Query: INSERT INTO `teampass_log_items` (`id_item`,`date`,`id_user`,`action`) VALUES ('', 1526631464, '10000000', 'at_password_copied')<br />Error: Incorrect integer value: '' for column 'id_item' at row 1<br />@ /sources/items.logs.php
 * 30/04/2018 10:31:13 - Query: INSERT INTO `teampass_log_items` (`id_item`,`date`,`id_user`,`action`) VALUES ('', 1525084273, '10000010', 'at_password_copied')<br />Error: Incorrect integer value: '' for column 'id_item' at row 1<br />@ /sources/items.logs.php
 * 28/03/2018 09:21:43 - Query: INSERT INTO `teampass_log_system` (`type`,`date`,`label`,`qui`,`field_1`) VALUES ('user_mngt', 1522228903, NULL, '1', '10000021')<br />Error: Column 'label' cannot be null<br />@ /sources/users.queries.php
 * 28/03/2018 08:51:17 - Query: INSERT INTO `teampass_log_system` (`type`,`date`,`label`,`qui`,`field_1`) VALUES ('user_mngt', 1522227077, NULL, '1', '10000007')<br />Error: Column 'label' cannot be null<br />@ /sources/users.queries.php

Log from the web-browser developer console (CTRL + SHIFT + i)

access to a high level account using a low level api key
high level user
standard user

Insert the log here and especially the answer of the query that failed.
@nilsteampassnet
Copy link
Owner

This is why since à couple of version, api key is defined by user.
So that using the user api key, the system knows what rights the user has and can limite to allowed items.
Please upgrade.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nilsteampassnet @sticks221