Session Security Misconfiguration - Unauthorized Administrative Access

[ThelloD]

Affected are both v0.5-4 as well as 0.6/dev, likewise also older versions (not confirmed). The issue allows an unauthorized user to gain administrative privileges on the Dashmachine interface.

The issue was confirmed by using multiple docker instances running on the same host. Although it was not tested, I assume that also non-dockerized instances as well as instances running on other hosts are affected as well, therefore allowing anyone full access to every Dashboard instance.

I already have a step-by-step guide to reproduce the issue and can provide the required remediation actions. For properly fixing the issue a bit of coding will be required, but there's also a workaround to secure already running instances.

To prevent compromise of already running instances, I would prefer not to publicly share further details here for now until a fix is available. Can I contact you by other means, maybe via private message on Reddit?

[rmountjoy92]

Hey! Thanks for the heads up, you can email me at ross.mountjoy@gmail.com I'm busy the rest of the night but should be able to look into it tomorrow.

[ThelloD]

Thanks, sent you an email with the details.

[ThelloD]

I just noticed that although the issue was fix fixed with daa4fe6 in the "develop" branch, the master branch was not patched sufficiently.

In __init__.py, the code for creating/storing/loading a unqiue secret key was added, however the fixed-string assignment was not replaced by app.config["SECRET_KEY"] = secret_key and therefore, the old static secret key is still used for v0.5. So v0.5 and the latest (non-development) version on Docker Hub is still vulnerable.

[ThelloD]

The issue is still present with the latest commit c9027a6. @rmountjoy92 could you please re-open this issue?

[rmountjoy92]

@ThelloD Sorry for the delay, just pushed the fix, good catch.