Closed lts-rad closed 8 months ago
billz
commented
8 months ago We've had a number of (apparent) troll postings related to this were moderated recently. I haven't had time to look at the blog in question. Please see our security policy in the issue related to his PR, thanks.
lts-rad
commented
8 months ago Unfortunately the issues in the blog are not imaginary trolling, and I have emailed exploit details to security@raspap.com. The PR addresses the issues that were not fixed correctly from previous security reports, and also extends authentication requirements to mitigate the impact of further flaws which are likely
billz
commented
8 months ago That's fine, I'm merely pointing out that we have a security protocol in place not unlike most open source projects.
Spamming links across this project's channels to some random "security" blog is unprofessional.
billz
commented
8 months ago Closing this in favor of #1548
Any device on the network, or anyone with access to the RaspAP web page from upstream of RaspAP, would be able to take over the host running RaspAP and run arbitrary commands.
With the flaws I could also
This pull requests addresses some issues. Likely there are more post auth but this PR reduces the preauthenticated attack surface. However, the UI fix to support this is not yet complete and needs to be implemented by raspap. The Ajax JS calls need a rewrite to pass along credentials. Most likely a static html login page is needed, followed by an update to the ajax code to do something like:
it was also noticed that raspap limits people's ability to use wpa3 by default, this seems like a poor choice. SAE is not a perfect PAKE, but its a lot better than WPA2.