漏洞标题
Webhood后端缺少关键功能的验证授权
漏洞描述信息
Webhood是一个自托管的URL扫描器,用于分析钓鱼和恶意网站。Webhood 0.9.0及更早版本的后端容器镜像存在关键功能缺少身份验证的漏洞。此漏洞允许未经过身份验证的攻击者向数据库(Pocketbase)管理API发送HTTP请求以创建管理员账户。当没有添加管理员账户时,Pocketbase管理API在创建管理员账户时不会检查身份验证/授权。在默认部署中,Webhood不会创建数据库管理员账户。因此,除非用户已在数据库中手动创建管理员账户,否则部署中不会存在管理员账户,且部署会受到此漏洞的影响。从0.9.1版本开始已修复此漏洞。该修复程序在尚未创建管理员账户的情况下(即漏洞可被利用的部署中)会生成一个随机的管理员账户。作为临时解决方案,用户可以完全禁用以`/api/admins`开头的URL路径的访问。使用此解决方案后,漏洞将无法通过网络被利用。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
漏洞类别
关键功能的认证机制缺失
漏洞标题
Missing Authentication for Critical Function in Webhood backend
漏洞描述信息
Webhood is a self-hosted URL scanner used analyzing phishing and malicious sites. Webhood's backend container images in versions 0.9.0 and earlier are subject to Missing Authentication for Critical Function vulnerability. This vulnerability allows an unauthenticated attacker to send a HTTP request to the database (Pocketbase) admin API to create an admin account. The Pocketbase admin API does not check for authentication/authorization when creating an admin account when no admin accounts have been added. In its default deployment, Webhood does not create a database admin account. Therefore, unless users have manually created an admin account in the database, an admin account will not exist in the deployment and the deployment is vulnerable. Versions starting from 0.9.1 are patched. The patch creates a randomly generated admin account if admin accounts have not already been created i.e. the vulnerability is exploitable in the deployment. As a workaround, users can disable access to URL path starting with `/api/admins` entirely. With this workaround, the vulnerability is not exploitable via network.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
漏洞类别
关键功能的认证机制缺失
漏洞标题
Webhood 安全漏洞
漏洞描述信息
Webhood是一款自托管 URL 扫描器,用于分析网络钓鱼和恶意网站。 Webhood 0.9.0及之前版本存在安全漏洞,该漏洞源于允许未经身份验证的攻击者向数据库(Pocketbase)admin API发送HTTP请求来创建管理员帐户。
CVSS信息
N/A
漏洞类别
其他