Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in tildeclub/site


Reported on

Sep 13th 2021

✍️ Description

The file signup-handler.php creates a user by accepting input from request parameters username, email, interest, sshkey. The affected parameter is sshkey. It does not sanitizes special characters and only checks if the first 4 character of the input is ssh- which allows the signup entries in /var/signups to be malformed using special characters {, }

In particular, it is possible to control the input sshkey to ssh-%20anything%7D%22%0Amakeuser%20%7Badmin%7D%20%7Bmyemail%40asdasd.asd%7D%20%22%7BMySSHkey to create a user name, such as admin, in the array forbidden_name.


Perform input validation in sshkey 📍 Location signup-handler.php#L102 signup-handler.php#L75

We have contacted a member of the tildeclub/site team and are waiting to hear back 2 years ago
Viky modified the report
2 years ago
Viky modified the report
2 years ago
Viky modified the report
2 years ago
tildeclub/site maintainer validated this vulnerability 2 years ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
tildeclub/site maintainer marked this as fixed with commit 09f103 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation