Open kevthehermit opened 6 years ago
Great eye. This is definitely a concern. Will try and address this in the near future.
After a small edit, /api/script/ no longer returns the first script and instead 404s. This does not help fix the authentication issue.
Just setting this up and i noticed that the /api/script/ endpoint is leaking the installation users email address.
It is also unauthenticated. So a quick google search for "Modern Honeypot Network Server" will reveal some public instances where you can get the logon email.
its also simple to iterate all the scripts and potentially pull sensitive data from custom deployment scripts.
e.g. I add a custom email script with some SMTP credentials anyone can view these.