gooaclok819 sublinkX Hard-Coded Cryptographic Key Vulnerability in JWT Middleware

A vulnerability exists in gooaclok819 sublinkX versions through 1.8, where a hard-coded JSON Web Token (JWT) secret key is embedded in the middleware file 'jwt.go'. This flaw allows for the potential forgery of JWT tokens, bypassing authentication processes. The vulnerability can be exploited remotely, without any authentication requirements. Although the exploitation is considered complex, a public proof-of-concept is available.

Impact

The hard-coded key vulnerability could lead to unauthorized access by allowing attackers to forge JWT tokens, particularly those with admin privileges, and bypass authentication mechanisms.

Reproduction

To reproduce this vulnerability, send a request to the 'AddTemp' endpoint in 'api/template.go' with the 'filename' parameter set to a value that includes directory traversal sequences (such as '../../../../etc/pwn.123') and the 'text' parameter containing any text. The server will write the file to the specified location, demonstrating the arbitrary file write vulnerability. Afterward, the hard-coded JWT secret can be used to generate a forged JWT token, which can be used to gain unauthorized access to restricted areas of the application.

Remediation

Upgrade to gooaclok819 sublinkX version 1.9, which addresses this vulnerability by removing the hard-coded key and replacing it with a configurable option. The updated version is available on the project's GitHub release page.