Decolua 9router Authorization Bypass Vulnerability in Administrative API Endpoints

A critical authorization bypass vulnerability has been identified in Decolua 9router versions through 0.3.47. The issue arises from improper authentication checks on several administrative API endpoints, allowing remote attackers to access sensitive functions without authorization. This vulnerability can lead to a full compromise of the application, including unauthorized access to database management, API key generation, provider credentials, and application settings. Additionally, it enables server-side request forgery (SSRF) attacks and the ability to remotely shut down the server.

Impact

Exploitation of this vulnerability allows for unauthorized access to administrative API endpoints, enabling attackers to export and modify database contents, manage API keys, access provider credentials, alter application settings, execute server-side requests to external destinations, and shut down the server remotely.

Reproduction

The vulnerability can be reproduced by sending requests to the unprotected administrative API endpoints without authentication. This can be done using a proof-of-concept exploit that is available in a public repository.

Remediation

Users are advised to upgrade to Decolua 9router version 0.3.75, which addresses this vulnerability. The updated version can be downloaded from the Decolua 9router GitHub releases page.