search

code-423n4 / 2021-04-marginswap-findings

1 stars 0 forks source link

The bug submissions are accessible #2

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Email address

mail@gpersoon.com

Handle

gpersoon

Eth address

0x8e2A89fF2F45ed7f8C8506f846200D671e2f176f

Vulnerability details

The github token can be retrieved from the https://c4-marginswap.netlify.app/ website

Proof of concept

In the source of the website (createIssue.js) you can see github is directly accessed from the website. With Fiddler you can search for GITHUB and see: REACT_APP_MAILGUN_DOMAIN:"mg.code423n4.com", REACT_APP_MAILGUN_KEY:"a9763c0878cd90413bf11615456692e7-b6d086a8-be1c8bad", REACT_APP_GITHUB_TOKEN:"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"

With Fiddler you can search for code-423n4 and see: "owner":"code-423n4", "repo":"marginswap-results"

With the GITHUB token you can retrieve the issues: curl -H "Authorization: token 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" https://api.github.com/repos/code-423n4/marginswap-results/issues

This shows: "body": "# Email address\n\nadam@andyet.com\n\n\n# Handle\n\nadamavenir\n\n\n# Eth address\n\n123123123\n\n\n# Vulnerability details\n\nSome details:\n\n\ndetails(schemtails)\n\n\n\n# Impact\n\nBrace for it!\n\n\n# Proof of concept\n\n- proof\n- of \n- concept\n\n\n# Tools used\n\nI used no tools except this form and my BARE HANDS!\n\n\n# Recommended mitigation steps\n\nI would recommend not doing this bug.\n\n",

Impact

With the token you can access the submissions of others and share in their prices.

Tools used

Fiddler (https://www.telerik.com/) And the developer console of Chrome to look at the source.

Recommended mitigation steps

Either open source the bug submission enterly Or split the bug submission application in two parts, where only a backend has the Github keys and does the creating of the issues.

There are tools that promise to do this, i haven't looked into them: https://fire.fundersclub.com/ https://zapier.com/apps/github/integrations/gmail/10314/create-github-issues-from-new-emails-on-gmail-business-gmail-accounts-only https://flow.microsoft.com/en-us/galleries/public/templates/6b590f10bc9011e6b2e2c98b01575bae/send-an-email-to-create-github-issues/

sockdrawermoney commented 3 years ago

Keys are disabled and I'm working on mitigating this. These keys were set in netlify and createIssue.js should be running as a lambda function... so I'm a bit concerned here about either my understanding of netlify's lambda function setup or netlify's security or both.

Told wardens to standby for a new process for submissions.

sockdrawermoney commented 3 years ago

There are two problems:

  1. My total misunderstanding of how netlify's lambda functions work. Cue whooshing noise of lambda going over my head. Best thing about being wrong though is you get to be right again :)
  2. If you put lambda functions directory inside the src directory, netlify will go ahead and add your environment variables in plain text and deploy them as part of your site. :joy:

Working on updates.

In the meantime, I have taken the form offline and instructed wardens to keep their own notes on vulnerabilities until the form is ready for submissions.

sockdrawermoney commented 3 years ago

@werg @marginswapper @zscole This is now resolved. Or should be, at least!

Form is back online at https://c4-marginswap.netlify.app/