d1str0
commented
6 years ago Great eye. This is definitely a concern. Will try and address this in the near future.
Open kevthehermit opened 6 years ago
d1str0
commented
6 years ago Great eye. This is definitely a concern. Will try and address this in the near future.
d1str0
commented
6 years ago After a small edit, /api/script/ no longer returns the first script and instead 404s. This does not help fix the authentication issue.
Just setting this up and i noticed that the /api/script/ endpoint is leaking the installation users email address.
It is also unauthenticated. So a quick google search for "Modern Honeypot Network Server" will reveal some public instances where you can get the logon email.
its also simple to iterate all the scripts and potentially pull sensitive data from custom deployment scripts.
e.g. I add a custom email script with some SMTP credentials anyone can view these.