6623dbc4ab
Overnight pentest run produced recon, analysis, exploitation reports, and a full security assessment. Plan.md updated with 22 prioritized fix items for auth, SSRF, injection, XSS, and hardening. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
14 lines
1.1 KiB
Markdown
14 lines
1.1 KiB
Markdown
Not critical — those app proxy paths were already confirmed through other probes. The full attack surface analysis is complete above.
|
|
|
|
**Summary of critical findings:**
|
|
|
|
1. **Zero authentication on the entire RPC API** — every method callable by anyone on the network
|
|
2. **Arbitrary container image execution** — `package.install` pulls and runs any Docker image
|
|
3. **Cryptographic key abuse** — `node.signChallenge` signs arbitrary data without auth (confirmed with live signature)
|
|
4. **FileBrowser full access via default credentials** — `admin/admin` confirmed working with admin JWT
|
|
5. **Unauthenticated Claude API proxy** — free API usage at owner's expense (confirmed)
|
|
6. **P2P message injection** — spoofed messages already present in the message store
|
|
7. **CORS wildcard** on all endpoints enables drive-by attacks from any website
|
|
8. **Backend runs as root** with dev mode enabled in production
|
|
|
|
The most urgent remediation is wiring authentication middleware into the `core/archipelago` handler — the session infrastructure exists in `core/startos/` but is **not connected** to the active backend's request pipeline. |