6623dbc4ab
Overnight pentest run produced recon, analysis, exploitation reports, and a full security assessment. Plan.md updated with 22 prioritized fix items for auth, SSRF, injection, XSS, and hardening. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1.3 KiB
1.3 KiB
Summary
Found 7 injection vulnerabilities across the active Archipelago backend:
| ID | Severity | Type | Key Risk |
|---|---|---|---|
| INJ-001 | Critical | Arbitrary File Read | container-install reads any file path as root |
| INJ-002 | Critical | Path Traversal → rm -rf |
package.uninstall deletes arbitrary directories via ../ in id |
| INJ-003 | Critical | Arbitrary Volume Mount | bundled-app-start mounts any host path into attacker container |
| INJ-006 | High | Arbitrary Container Execution | package.install pulls/runs any Docker image from any registry |
| INJ-004 | Medium | SSRF / Unrestricted API Proxy | /proxy/lnd/* forwards to LND REST API without auth |
| INJ-005 | Medium | Argument Injection | Unsanitized app_id/package_id passed to podman commands |
| INJ-007 | Low | Log Injection | Unauthenticated P2P endpoint stores arbitrary content |
Root cause: All these share a common pattern — user-controlled input from unauthenticated RPC calls flows directly into privileged operations (file I/O, process execution, container orchestration) without validation or sanitization. The most impactful fix would be wiring authentication middleware into the HTTP handler, followed by input validation on all app_id, package_id, manifest_path, and volumes parameters.