Headline
CVE-2022-37164: Responsible disclosure policy · Issue #78 · inoda/ontrack
Inoda OnTrack v3.4 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.
Comments
Hello 👋
I run a security community that finds and fixes vulnerabilities in OSS. A researcher (@J-GainSec) has found a potential issue, which I would be eager to share with you.
Could you add a SECURITY.md file with an e-mail address for me to send further details to? GitHub recommends a security policy to ensure issues are responsibly disclosed, and it would help direct researchers in the future.
Looking forward to hearing from you 👍
(cc @huntr-helper)
Copy link
Owner
****inoda** commented Jul 30, 2022**
Copy link
Owner
****inoda** commented Aug 1, 2022**
@JamieSlome Can you just share the issue here publicly? I understand this is a mechanism to get adoption for your site but I’m not interested in making an account
Copy link
Owner
****inoda** commented Aug 1, 2022**
Seems like this got moved to #82
@inoda - I have made both reports public at the same URLs.
We do not make reports private for adoption, but purely because many maintainers don’t want reports public by default. We allow maintainers to access reports using magic URLs, where sign-up is not required at all. This is why we first request an e-mail, so we can send a magic URL to view the reports 👍
2 participants
Related news
Bminusl IHateToBudget v1.5.7 employs a weak password policy which allows attackers to potentially gain unauthorized access to the application via brute-force attacks. Additionally, user passwords are hashed without a salt or pepper making it much easier for tools like hashcat to crack the hashes.