You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Collect your personal API key (from within the "Your personal information" window)
Make an API call using a guessed item ID by opening a browser and entering https://[SERVERNAME]/api/index.php/read/items/[ITEM ID]?apikey=[API KEY]
You will see the item data and password regardless of your permissions within the application
Expected behaviour
Access should be denied to any user API key that wouldn't normally have access to the item
Actual behaviour
The user is able to see absolutely any item in the system. A simple few line script could collect every credential in the system even if none are supposed to be permitted
Server configuration
Operating system: Linux srvtp01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64
This is why since à couple of version, api key is defined by user.
So that using the user api key, the system knows what rights the user has and can limite to allowed items.
Please upgrade.
Steps to reproduce
Expected behaviour
Access should be denied to any user API key that wouldn't normally have access to the item
Actual behaviour
The user is able to see absolutely any item in the system. A simple few line script could collect every credential in the system even if none are supposed to be permitted
Server configuration
Operating system: Linux srvtp01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64
Web server: Apache/2.4.18 (Ubuntu)
Database: 5.7.25-0ubuntu0.16.04.2
PHP version: 7.0.32-0ubuntu0.16.04.1
Teampass version: 2.1.27.11
Teampass configuration file:
Updated from an older Teampass or fresh install:
Client configuration
Browser: Any
Operating system: Windows Server 2008 R2 / 7 - 64bits
Logs
Web server error log
Teampass 10 last system errors
Log from the web-browser developer console (CTRL + SHIFT + i)
The text was updated successfully, but these errors were encountered: