Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Major security flaw due to hardcoded JWT secret! #465

Open
1RandomDev opened this issue Aug 27, 2024 · 3 comments
Open

[SECURITY] Major security flaw due to hardcoded JWT secret! #465

1RandomDev opened this issue Aug 27, 2024 · 3 comments

Comments

@1RandomDev
Copy link

1RandomDev commented Aug 27, 2024
edited
Loading

  • App version: 2.3.1

Bug description:
I noticed that the secret for generating JWTs when logging in is hardcoded in the .env file. This key is publicly known and the same for every instance and therefor entirely bypasses password authentication. You can use every token generated by every flame instance to log into every other instance!

Solution:
This issue can be easily solved by setting the SECRET environment variable to a long random string, but unfortunately this is mentioned nowhere in the README. Additionally there should NEVER be a default secret key, it should be required to be set by the user or be randomly generated on each start if not set. In this case even if the user fails to configure it properly a new key will be generated on each start invalidating existing sessions.

Proof:
You can easily try this out by logging out of your dashboard, open the local storage editor in your browsers dev tools and add the following entry:
Key: token
Value: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhcHAiOiJmbGFtZSIsImlhdCI6MTcyNDc3MDUyNiwiZXhwIjoxNzU2MzI4MTI2fQ.lQ-qxon9MrSrU_-6sdIApO8fURVRq0kUpwLUIkqAnFE
This should log you in to every flame dashboard that's out there regardless of the set password.
@1RandomDev 1RandomDev changed the title [SECURITY] Major securriry flaw due to hardcoded JWT secret! [SECURITY] Major security flaw due to hardcoded JWT secret! Aug 27, 2024
@simono41
Copy link

simono41 commented Sep 2, 2024

I tried the security vulnerability in my own instance and can only confirm it.

This issue should definitely be fixed, but I believe that this project is no longer maintained.

I will turn off public access to my flame environment until the problem is solved.

@sylflo
Copy link

sylflo commented Sep 9, 2024
edited
Loading

If anyone is interested I made a simple fix here https://github.com/sylflo/flame/pull/2/files

Also I added a bunch of stuff in the .dockerignore here https://github.com/sylflo/flame/pull/1/files

There is a docker image publicly available at docker.io/sylflo/flame

@1RandomDev
Copy link
Author

1RandomDev commented Sep 9, 2024
edited
Loading

That's a good hot fix for now, for the long run it would probably be the most user friendly solution, especially since the app already needs a persistent volume anyway, to generate a random key at the first start and save it in the config.json or another secrets file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sylflo @simono41 @1RandomDev