The ticket that is returned by authenticate when it is successful (UUID) is used by the client as a token. This code never checks the ticket, therefore any client can send data to this server and it will accept that data as 'real' without any validation.
I understand that this project is not actively worked on, but wanted to share this here in case anyone comes by and wants to use this. I would consider this a pretty big security vulnerability, and would not use this without fixing this issue.
The
ticketthat is returned by authenticate when it is successful (UUID) is used by the client as a token. This code never checks theticket, therefore any client can send data to this server and it will accept that data as 'real' without any validation.I understand that this project is not actively worked on, but wanted to share this here in case anyone comes by and wants to use this. I would consider this a pretty big security vulnerability, and would not use this without fixing this issue.