mathsyx69
commented
3 months ago Hello, I noticed this on my instance too. (1.40.15)
Closed pglombardo closed 2 months ago
mathsyx69
commented
3 months ago Hello, I noticed this on my instance too. (1.40.15)
Viajaz
commented
3 months ago It's not particularly good practice to publish the details of an unfixed security vulnerability, even if it's a minor one like this.
pglombardo
commented
3 months ago Hey @Viajaz!
It's not particularly good practice to publish the details of an unfixed security vulnerability, even if it's a minor one like this.
I generally agree but this issue doesn't put any data or already confirmed accounts at risk. Worst case is that some new/empty accounts get confirmed that shouldn't.
This means a malicious user could specify any email address, with an email security solution with URL scanning, and their account will be confirmed without having control over said email address, defeating the purpose of email confirmation for new accounts.
Even this point - if a user can put a URL scanner on a target email domain, the organization has larger problems.
But still point taken - I'll fix this soon.
Viajaz
commented
2 months ago @pglombardo
Even this point - if a user can put a URL scanner on a target email domain, the organization has larger problems.
I didn't mean if a malicious user has installed the such a mechanism, many orgs have legitimate email security solutions which perform HTTP HEAD or GET requests on any links in the email (eg: Microsoft 365 SafeLinks, the initial proactive URL scanning step during mailflow specifically), that's how I discovered this issue, I registered for pwpush.com and I noticed the account was already confirmed by the time it hit my mailbox because the security solution had done exactly that with the confirmation email.
mathsyx69
commented
2 months ago Hello, I update our instance to 1.41.0. Confirmation is automatic, correction does not seem to work. When I click on the link from my outlook client, I get the error message that the email address has already been validated. Looking at the caddy logs, it seems to be due to the Microsoft link verification system.
Microsoft's server request :
{"level":"info","ts":1717403427.2461088,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"52.102.16.181","remote_port":"5296","client_ip":"52.102.16.181","proto":"HTTP/1.1","method":"HEAD","host":"PRIVATE-INFO","uri":"/fr/utilisateurs/confirmation?confirmation_token=5maxwPxyUMsGFvNnYvUm","headers":{"Connection":["Keep-Alive"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"","server_name":"PRIVATE-INFO"}},"bytes_read":0,"user_id":"","duration":0.031592881,"size":0,"status":302,"resp_headers":{"X-Xss-Protection":["0"],"X-Request-Id":["005f6afc-ce57-40a0-86be-74026f5741e3"],"X-Frame-Options":["SAMEORIGIN"],"X-Content-Type-Options":["nosniff"],"Content-Length":["0"],"Cache-Control":["no-cache"],"X-Robots-Tag":["none"],"X-Permitted-Cross-Domain-Policies":["none"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Location":["https://PRIVATE-INFO/fr/utilisateurs/sign_in"],"Content-Type":["text/html; charset=utf-8"],"Set-Cookie":["REDACTED"],"Content-Security-Policy":["upgrade-insecure-requests;"],"Server":["Caddy"],"Strict-Transport-Security":["max-age=31536000"],"X-Runtime":["0.029885"]}}
My request :
{"level":"info","ts":1717403427.6566472,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"PRIVATE-INFO","remote_port":"35061","client_ip":"PRIVATE-INFO","proto":"HTTP/2.0","method":"GET","host":"PRIVATE-INFO","uri":"/fr/utilisateurs/confirmation?confirmation_token=5maxwPxyUMsGFvNnYvUm","headers":{"Sec-Ch-Ua":["\"Microsoft Edge\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Site":["none"],"Accept-Language":["fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,en-GB;q=0.6,ha;q=0.5"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Edg/125.0.0.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Priority":["u=0, i"],"Dnt":["1"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua-Mobile":["?0"],"Cookie":["REDACTED"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"PRIVATE-INFO"}},"bytes_read":0,"user_id":"","duration":0.016232011,"size":22954,"status":200,"resp_headers":{"X-Runtime":["0.014680"],"Content-Length":["22954"],"X-Robots-Tag":["none"],"Server":["Caddy"],"X-Xss-Protection":["0"],"X-Request-Id":["f5c27305-11dc-4c59-a960-a6489b72792f"],"X-Permitted-Cross-Domain-Policies":["none"],"Set-Cookie":["REDACTED"],"Etag":["W/\"a40cd75ce1a941ca42f75e596e6c10f1\""],"Cache-Control":["max-age=0, private, must-revalidate"],"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Content-Type-Options":["nosniff"],"Content-Security-Policy":["upgrade-insecure-requests;"],"Strict-Transport-Security":["max-age=31536000"],"Link":["</assets/application-95340552bf967fd38a0ce489f61eff053326a4d3b67363d02b917878049a77f3.css>; rel=preload; as=style; nopush"],"Content-Type":["text/html; charset=utf-8"],"X-Frame-Options":["SAMEORIGIN"]}}
pglombardo
commented
2 months ago Yeah v1.41 protects the registration form from bots but it doesn't fix this confirmation link issue yet. So far, I think the fix I'll go with is the delayed password selection (linked above in the 2 step instructions).
BTW slick that you are using Caddy. I just added a Caddy example setup to the project in #2192.
pglombardo
commented
2 months ago I think I have a fair fix in #2199. I'll test more & try to release it soon.
mathsyx69
commented
2 months ago Yeah v1.41 protects the registration form from bots but it doesn't fix this confirmation link issue yet. So far, I think the fix I'll go with is the delayed password selection (linked above in the 2 step instructions).
BTW slick that you are using Caddy. I just added a Caddy example setup to the project in #2192.
Sorry for the confusion. In any case, thank you for the work you do to maintain this application ! For your caddy configuration template (Caddyfile), you should add these lines in "example.com {}" :
header {
# enable HSTS
Strict-Transport-Security max-age=31536000
# Set cookie as secure
>Set-Cookie (.*) "$1; Secure"
}
This add the flag "Secure" to "Set-Cookie" header to ensure that cookies are only exchanged via HTTPs. If HSTS is configured ("Strict-Transport-Security" header), this configuration is mandatory.
pglombardo
commented
2 months ago Thanks @mathsyx69/good addition! Added in #2201
pglombardo
commented
2 months ago All released in v1.41.1. I tested the confirmation process with the click through quite a few times/in various ways.
I'll close this out for now. Let me know if you have any problems.
š Bug Report
From a user via feedback form:
This is a valid point. Two Step Confirmation would be a solution to this.
š¬ How To Reproduce
Steps to reproduce the behavior:
Code sample
Environment
Where are you running/using Password Pusher?
If applicable, what version of Password Pusher?
Screenshots
š Expected behavior
š Additional context