Directory listing in multiple endpoints in nilsteampassnet/teampass

Valid

Reported on

Jun 10th 2023


Description

Teampass has directory listing by default for various endpoints that eventually discloses application-specific and user data and files.

Proof of Concept

Visit the following endpoint without logging in to the application.

Sensitive

  • https://127.0.0.1/includes (configs)
  • https://127.0.0.1/upload (Uploaded files)
  • https://127.0.0.1/files (Contains .sql file)

Miscellaneous

  • https://127.0.0.1/api/Controller
  • https://127.0.0.1/api/Model
  • https://127.0.0.1/api/inc
  • https://127.0.0.1/pages
  • https://127.0.0.1/sources
  • https://127.0.0.1/plugins
  • https://127.0.0.1/scripts

Note

This could be fixed using the server configuration itself but it is better to do it in the application level as well as there are many teampass installations on the internet that are exposing their data publicly as shown in the image below. This could be fixe simply by adding a blank index.php pages in the directories.

Impact

Sensitive files can be accessed by attackers. Here's a real-world example:

References

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 9 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 9 months ago
We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 9 months ago
Nils Laumaillé validated this vulnerability 8 months ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nils Laumaillé marked this as fixed in 3.0.10 with commit e9f90b 8 months ago
The fix bounty has been dropped
This vulnerability has now been published 8 months ago
Nils Laumaillé gave praise 8 months ago
thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation