Password Exfiltration - Githubissues

dpgaspar / Flask-AppBuilder

Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Demo (login with guest/welcome) - http://flaskappbuilder.pythonanywhere.com/

BSD 3-Clause "New" or "Revised" License

4.69k stars 1.36k forks source link

Password Exfiltration #1860

Closed daniele-arosio closed 2 years ago

daniele-arosio commented 2 years ago

Hi,

using filters in this way:

users/list/?_flt_0_username=user&_flt_0_password=p%
users/list/?_flt_0_username=user&_flt_0_password=pB%
users/list/?_flt_0_username=user&_flt_0_password=pBf%
...

and so on, you can extract the entire password for each user.

Is it possible to remove the password field from the filters?

Thanks, bye

Daniele

thesuperzapper commented 2 years ago

@dpgaspar @z-arosio this is certainly a security problem that should be fixed ASAP, probably by restricting which fields can be filtered on.

However, from my initial assessment, its impact is significantly limited by a few factors:

Only people with the Admin role can access the /users/list/ page
You can only extract the salted and hashed password using this method, e.g. the string "admin" might look like: pbkdf2:sha256:150000$iNOiU0zl$376b7e7ac93cb5d47bbe3e7b539e9a97009a124cd422112ef7d1ba03ff21a35d

dpgaspar commented 2 years ago

Hi @z-arosio,

Thank you for reporting this issue, I agree with @thesuperzapper.

I'll make a fix ASAP

thesuperzapper commented 2 years ago

@dpgaspar I think we should create a CVE for this BTW (might also kick some people to update FAB).

Github has recently added a cool in-built way to make a security advisory on a repo:

https://github.com/dpgaspar/Flask-AppBuilder/security/advisories

thesuperzapper commented 2 years ago

Also, I think you might not have understood the point of the https://github.com/dpgaspar/Flask-AppBuilder/security/policy page, it's meant to explain how to responsibly disclose issues (like this one), not outline FABs security settings, lol!

Here is the guide to making the security policy, from GitHub: https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository

dpgaspar commented 2 years ago

@thesuperzapper yes was planning on requesting a CVE for this one.

Interesting I don't remember placing that on the security policy (github?). Yet the issue template has a responsible disclosure warning. I'll place it on the security policy also.

Responsible disclosure:
We want to keep Flask-AppBuilder safe for everyone. If you've discovered a security vulnerability
please report to danielvazgaspar@gmail.com.

Thank you once more @thesuperzapper!