Termix Authentication Bypass Vulnerability in Official Docker Image
Vulnerability
An authentication bypass vulnerability has been identified in Termix, a web-based server management platform, specifically in the official Docker image for Termix versions 1.5.0 and below. This vulnerability arises from the Nginx reverse proxy configuration, which causes the backend to receive the proxy's IP address instead of the client's IP. As a result, the 'isLocalhost' check always returns true, allowing direct access to the '/ssh/db/host/internal' endpoint without authentication. This endpoint exposes sensitive SSH host information, including addresses, usernames, and passwords, creating a significant security risk.
Impact
Exploitation of this vulnerability allows unauthorized access to the '/ssh/db/host/internal' endpoint, bypassing authentication and exposing sensitive SSH configuration data.
Reproduction
The vulnerability can be reproduced by deploying the official Termix Docker image with the default Nginx configuration. Once the application is running, access the '/ssh/db/host/internal' endpoint directly. The absence of authentication and the exposure of SSH host information will confirm the vulnerability.
Remediation
Users can update to Termix version 1.6.0 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.