You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Unsafe plugins can be installed via pack import by tenant admins
High severity
GitHub Reviewed
Published
Jul 27, 2023
in
saltcorn/saltcorn
•
Updated Sep 6, 2023
Unsafe plugins (for instance sql-list) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables
Details
I have an example https://bot20230704.saltcorn.com/view/all_plugins
It's publicly accessible (but has not so secure values except list of tenants).
But using this mech one can read any data from other tenants.
Impact
All tenants of installation (i.e. saltcorn.com), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants
Revived after 0.8.7
After patch in 0.8.7 this is not fixed completely.
Summary
Unsafe plugins (for instance
sql-list
) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disablesDetails
I have an example
https://bot20230704.saltcorn.com/view/all_plugins
It's publicly accessible (but has not so secure values except list of tenants).
But using this mech one can read any data from other tenants.
Impact
All tenants of installation (i.e.
saltcorn.com
), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenantsRevived after 0.8.7
After patch in 0.8.7 this is not fixed completely.
Here are steps to reproduce:
Here are logic:
Unsafe plugins checked against this list:
https://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191
But it's under control of tenant admin, not server admin.
Proposed login:
References