FUXA Authentication Bypass Vulnerability Leading to Remote Code Execution

An authentication bypass vulnerability allowing remote code execution (RCE) has been identified in FUXA versions through 1.2.8. The issue arises in the server/api/jwt-helper.js middleware, where the HTTP 'Referer' header is improperly trusted for validating internal requests. This flaw enables remote, unauthenticated attackers to spoof the Referer header, bypassing JWT authentication and gaining access to the protected /api/runscript endpoint. Exploitation of this vulnerability allows for the execution of arbitrary Node.js code on the server.

Impact

Exploitation of this vulnerability allows for unauthenticated authentication bypass, granting access to the /api/runscript endpoint where arbitrary Node.js code can be executed on the server.

Reproduction

The vulnerability can be reproduced by sending a request to the FUXA server with a spoofed Referer header that matches the server's host. This bypasses the authentication requirement and allows access to the /api/runscript endpoint. Once the authentication is bypassed, arbitrary Node.js code can be executed on the server.