Skip to content

Server secret was included in static assets and served to clients

Critical severity GitHub Reviewed Published Aug 24, 2020 in jesec/flood • Updated Jan 6, 2023

Package

npm flood (npm)

Affected versions

>= 2.0.0, < 3.0.0

Patched versions

3.0.0

Description

Impact

Server JWT signing secret was included in static assets and served to clients.

This ALLOWS Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface (which is unprotected and ALLOWS arbitrary code execution) and usually wide-ranging privileges to files, along with Flood's lack of security controls against authenticated users, the severity of this vulnerability is CRITICAL.

Background

Commit 8d11640b imported config.js to client (frontend) components to get disableUsersAndAuth configuration variable. Subsequently contents of config.js are compiled into static assets and served to users. Unfortunately config.js also includes secret.

Intruders can use secret to sign authentication tokens themselves to bypass builtin access control of Flood.

Patches

Commit 042cb4ce removed imports of config.js from client (frontend) components. Additionally an eslint rule was added to prevent config.js from being imported to client (frontend) components.

Commit 103f53c8 provided a general mitigation to this kind of problem by searching static assets to ensure secret is not included before starting server (backend).

Workarounds

Users shall upgrade if they use Flood's builtin authentication system.

While maintainers will do their best to support it, Flood cannot guarantee its in-house access control system can stand against determined attackers in high-stake environments.

Use HTTP Basic Auth or other battle-hardened authentication methods instead of Flood's in-house one. You can use disableUsersAndAuth to avoid duplicate authentication.

Users are advised to check out the wiki for more information on security precautions.

References

Wiki - Security precautions

Introduction to JSON Web Tokens

For more information

If you have any questions or comments about this advisory:

References

@jesec jesec published to jesec/flood Aug 24, 2020
Reviewed Aug 26, 2020
Published to the GitHub Advisory Database Aug 26, 2020
Last updated Jan 6, 2023

Severity

Critical

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-r587-7jh2-4qr3

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.