Special Notes
This is a vulnerability in unreleased revisions. It is typically not needed to publish security advisories for unreleased revisions. However, given the project's nature, large portion of users use HEAD of master via git clone. Thus, this security advisory was published to increase awareness of the vulnerability.
Note that this practice may change in the future when a stable release process is established.
Impact
Server JWT signing secret was included in static assets and served to clients.
This ALLOWS Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface (which is unprotected and ALLOWS arbitrary code execution) and usually wide-ranging privileges to files, along with Flood's lack of security controls against authenticated users, the severity of this vulnerability is CRITICAL.
Background
Commit 8d11640 imported config.js to client (frontend) components to get disableUsersAndAuth configuration variable. Subsequently contents of config.js are compiled into static assets and served to users. Unfortunately config.js also includes secret.
Intruders can use secret to sign authentication tokens themselves to bypass builtin access control of Flood.
Patches
Commit 042cb4c removed imports of config.js from client (frontend) components. Additionally an eslint rule was added to prevent config.js from being imported to client (frontend) components.
Commit 103f53c provided a general mitigation to this kind of problem by searching static assets to ensure secret is not included before starting server (backend).
Workarounds
Users shall upgrade if they use Flood's builtin authentication system.
While maintainers will do their best to support it, Flood cannot guarantee its in-house access control system can stand against determined attackers in high-stake environments.
Use HTTP Basic Auth or other battle-hardened authentication methods instead of Flood's in-house one. You can use disableUsersAndAuth to avoid duplicate authentication.
Users are advised to check out the wiki for more information on security precautions.
References
Wiki - Security precautions
Introduction to JSON Web Tokens
For more information
If you have any questions or comments about this advisory:
jesec Analyst
Special Notes
This is a vulnerability in
unreleased revisions. It is typically not needed to publish security advisories forunreleased revisions. However, given the project's nature, large portion of users useHEAD of masterviagit clone. Thus, this security advisory was published to increase awareness of the vulnerability.Note that this practice may change in the future when a stable release process is established.
Impact
Server JWT signing secret was included in static assets and served to clients.
This ALLOWS Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface (which is unprotected and ALLOWS arbitrary code execution) and usually wide-ranging privileges to files, along with Flood's lack of security controls against authenticated users, the severity of this vulnerability is CRITICAL.
Background
Commit 8d11640 imported
config.jsto client (frontend) components to getdisableUsersAndAuthconfiguration variable. Subsequently contents ofconfig.jsare compiled into static assets and served to users. Unfortunatelyconfig.jsalso includessecret.Intruders can use
secretto sign authentication tokens themselves to bypass builtin access control of Flood.Patches
Commit 042cb4c removed imports of
config.jsfrom client (frontend) components. Additionally an eslint rule was added to prevent config.js from being imported to client (frontend) components.Commit 103f53c provided a general mitigation to this kind of problem by searching static assets to ensure
secretis not included before starting server (backend).Workarounds
Users shall upgrade if they use Flood's builtin authentication system.
While maintainers will do their best to support it, Flood cannot guarantee its in-house access control system can stand against determined attackers in high-stake environments.
Users are advised to check out the wiki for more information on security precautions.
References
Wiki - Security precautions
Introduction to JSON Web Tokens
For more information
If you have any questions or comments about this advisory: