The issues
we discovered a way to bypass the authentication in this application when deployed using the official Docker image. Because a hard coded secret is used to sign the authentication token (JWT), an attacker could compromise another instance of Izanami by doing the following steps :
- The attacker installs his own Izanami application.
- The attacker logs in and copies the content of the cookie named Izanami.
- The attacker connects to the victim’s website and creates a cookie named Izanami with the previous value.
- The attacker is successfully log-in, even if his user does not exist.
Affected versions
At the time this report is written, the version 1.10.22 was proven to be affected. Previous versions are likely to be vulnerable too.
Patched version
Version 1.11.0 fixes the issue. We strongly encourage you to upgrade your existing Izanami deployments to v1.11.0
Credits
This issue was discovered by Raphaël LOB from Synacktiv (https://www.synacktiv.com/)
The issues
we discovered a way to bypass the authentication in this application when deployed using the official Docker image. Because a hard coded secret is used to sign the authentication token (JWT), an attacker could compromise another instance of Izanami by doing the following steps :
Affected versions
At the time this report is written, the version 1.10.22 was proven to be affected. Previous versions are likely to be vulnerable too.
Patched version
Version 1.11.0 fixes the issue. We strongly encourage you to upgrade your existing Izanami deployments to v1.11.0
Credits
This issue was discovered by Raphaël LOB from Synacktiv (https://www.synacktiv.com/)