Open 1RandomDev opened 2 weeks ago
simono41
commented
1 week ago I tried the security vulnerability in my own instance and can only confirm it.
This issue should definitely be fixed, but I believe that this project is no longer maintained.
I will turn off public access to my flame environment until the problem is solved.
sylflo
commented
5 days ago If anyone is interested I made a simple fix here https://github.com/sylflo/flame/pull/2/files
Also I added a bunch of stuff in the .dockerignore here https://github.com/sylflo/flame/pull/1/files
There is a docker image publicly available at docker.io/sylflo/flame
1RandomDev
commented
5 days ago That's a good hot fix for now, for the long run it would probably be the most user friendly solution, especially since the app already needs a persistent volume anyway, to generate a random key at the first start and save it in the config.json or another secrets file.
App version: 2.3.1
Bug description: I noticed that the secret for generating JWTs when logging in is hardcoded in the .env file. This key is publicly known and the same for every instance and therefor entirely bypasses password authentication. You can use every token generated by every flame instance to log into every other instance!
Solution: This issue can be easily solved by setting the
SECRETenvironment variable to a long random string, but unfortunately this is mentioned nowhere in the README. Additionally there should NEVER be a default secret key, it should be required to be set by the user or be randomly generated on each start if not set. In this case even if the user fails to configure it properly a new key will be generated on each start invalidating existing sessions.Proof: You can easily try this out by logging out of your dashboard, open the local storage editor in your browsers dev tools and add the following entry: Key:
tokenValue:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhcHAiOiJmbGFtZSIsImlhdCI6MTcyNDc3MDUyNiwiZXhwIjoxNzU2MzI4MTI2fQ.lQ-qxon9MrSrU_-6sdIApO8fURVRq0kUpwLUIkqAnFEThis should log you in to every flame dashboard that's out there regardless of the set password.