Impact
A default server secret flood was provided in config template.
There is no warning or error if user doesn't change the default. Flood-UI/flood#589
Most unfortunately, many tutorial writers and container image builders have not recognized the importance of an unique secret and simply use the default in their tutorials and images.
Many users might be using a weak and public secret as a result.
Intruders can use secret to sign authentication tokens themselves if they knew it.
This MIGHT ALLOW Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface (which is unprotected and ALLOWS arbitrary code execution) and usually wide-ranging privileges to files, along with Flood's lack of security controls against authenticated users, the severity of this vulnerability is HIGH.
Patches
Commit d137107 removed this default in config template and made sure that build or start can't happen before the secret in config.js is changed.
However, this will not stop users from (continue) using a weak and public secret.
As such, commit 103f53c provided a general mitigation to this kind of problem by searching static assets to ensure secret is not included before starting server (backend). As static assets included the project's name flood (formerly the default secret) and some other strings (eg. 1234567890), users who are using a very weak secret can be made aware of the vulnerability.
Workarounds
Users should change the secret if it is weak.
While maintainers will do their best to support it, Flood cannot guarantee its in-house access control system can stand against determined attackers in high-stake environments.
Use HTTP Basic Auth or other battle-hardened authentication methods instead of Flood's in-house one. You can use disableUsersAndAuth to avoid duplicate authentication.
Users are advised to check out the wiki for more information on security precautions.
References
Wiki - Security precautions
Introduction to JSON Web Tokens
For more information
If you have any questions or comments about this advisory:
jesec Analyst
Impact
A default server secret
floodwas provided in config template.There is no warning or error if user doesn't change the default. Flood-UI/flood#589
Most unfortunately, many tutorial writers and container image builders have not recognized the importance of an unique
secretand simply use the default in their tutorials and images.Many users might be using a weak and public
secretas a result.Intruders can use
secretto sign authentication tokens themselves if they knew it.This MIGHT ALLOW Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface (which is unprotected and ALLOWS arbitrary code execution) and usually wide-ranging privileges to files, along with Flood's lack of security controls against authenticated users, the severity of this vulnerability is HIGH.
Patches
Commit d137107 removed this default in config template and made sure that
buildorstartcan't happen before the secret inconfig.jsis changed.However, this will not stop users from (continue) using a weak and public
secret.As such, commit 103f53c provided a general mitigation to this kind of problem by searching static assets to ensure
secretis not included before starting server (backend). As static assets included the project's nameflood(formerly the defaultsecret) and some other strings (eg.1234567890), users who are using a very weak secret can be made aware of the vulnerability.Workarounds
Users should change the
secretif it is weak.While maintainers will do their best to support it, Flood cannot guarantee its in-house access control system can stand against determined attackers in high-stake environments.
Users are advised to check out the wiki for more information on security precautions.
References
Wiki - Security precautions
Introduction to JSON Web Tokens
For more information
If you have any questions or comments about this advisory: