Automad Broken Access Control Vulnerability Allows Unauthenticated Password Hash Retrieval

A broken access control vulnerability has been identified in Automad versions 2.0.0-alpha.1 prior to 2.0.0-beta.27. This vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hashes of all administrator accounts with a single POST request. The vulnerability exists in the publicly accessible '/_api/user-collection/create-first-user' setup endpoint, which returns full serialized user data, including password hashes and TOTP secrets, in the JSON response. The issue is present because the endpoint remains accessible after the initial configuration, exposing sensitive information to any attacker.

Impact

Exploitation of this vulnerability leads to the exposure of bcrypt password hashes for all administrator accounts, allowing for offline brute-force or dictionary attacks. Additionally, in version 2.0.0-beta.27, TOTP secrets are also exposed, enabling bypass of two-factor authentication for accounts with TOTP enabled.

Reproduction

To reproduce this vulnerability, first extract the CSRF token from the login page source, which is accessible without authentication. Next, obtain the Automad session cookie. With these two pieces of information, a POST request can be sent to the '/_api/user-collection/create-first-user' endpoint, including the CSRF token and session cookie. The response will contain the bcrypt password hashes and TOTP secrets for all administrator accounts.

Remediation

Users are advised to update Automad to version 2.0.0-beta.28 or later.