Skip to content

API Admin Auth Weakness in tomato

Critical severity GitHub Reviewed Published Aug 31, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm tomato (npm)

Affected versions

<= 0.0.5

Patched versions

0.0.6

Description

Versions of tomato prior to 0.0.6 are affected by a somewhat complex authentication bypass vulnerability in the admin service when only a single access key is configured on the server. The vulnerability allows an attacker to guess the password for the admin service, no matter how complex that password is, in less than 200 requests.

Details

The tomato API has an admin service that is enabled by setting up an access_key in the config options. This access_key is intended to protect the API admin from unauthorized access.

Tomato verifies the access_key by checking to see if the server access_key incorporates the user provided value at any location. This allows an attacker to provide a single character as an access_key, and so long as the server key contains at least one instance of that character it will be considered a valid key.

Proof of Concept

This is the snippet of code that does the comparison to authorize requests.

if (access_key && config.master.api.access_key.indexOf(access_key) !== -1) {

For an access_key that is set to anything that includes the letter 'a' the following request would be authorized.

$ curl -X POST "http://localhost:8081/api/exec" -H "Content-Type: application/json" -d @test -H "access-key: a"
{
 "cmd": "ls",
 "path": ".",
 "stdout": "app.js\nconfig.js\nlog\nnode_modules\nserver.js\n",
 "stderr": ""
}

Recommendation

Update to version 0.0.6 or later.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Aug 31, 2020
Last updated Jan 9, 2023

Severity

Critical

EPSS score

0.858%
(83rd percentile)

Weaknesses

CVE ID

CVE-2013-7379

GHSA ID

GHSA-9vxc-g2jx-qj3p

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.