6623dbc4ab
Overnight pentest run produced recon, analysis, exploitation reports, and a full security assessment. Plan.md updated with 22 prioritized fix items for auth, SSRF, injection, XSS, and hardening. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
15 lines
1.3 KiB
Markdown
15 lines
1.3 KiB
Markdown
## Summary
|
|
|
|
Found **7 injection vulnerabilities** across the active Archipelago backend:
|
|
|
|
| ID | Severity | Type | Key Risk |
|
|
|----|----------|------|----------|
|
|
| INJ-001 | **Critical** | Arbitrary File Read | `container-install` reads any file path as root |
|
|
| INJ-002 | **Critical** | Path Traversal → `rm -rf` | `package.uninstall` deletes arbitrary directories via `../` in `id` |
|
|
| INJ-003 | **Critical** | Arbitrary Volume Mount | `bundled-app-start` mounts any host path into attacker container |
|
|
| INJ-006 | **High** | Arbitrary Container Execution | `package.install` pulls/runs any Docker image from any registry |
|
|
| INJ-004 | **Medium** | SSRF / Unrestricted API Proxy | `/proxy/lnd/*` forwards to LND REST API without auth |
|
|
| INJ-005 | **Medium** | Argument Injection | Unsanitized `app_id`/`package_id` passed to podman commands |
|
|
| INJ-007 | **Low** | Log Injection | Unauthenticated P2P endpoint stores arbitrary content |
|
|
|
|
**Root cause**: All these share a common pattern — user-controlled input from unauthenticated RPC calls flows directly into privileged operations (file I/O, process execution, container orchestration) without validation or sanitization. The most impactful fix would be wiring authentication middleware into the HTTP handler, followed by input validation on all `app_id`, `package_id`, `manifest_path`, and `volumes` parameters. |