Advisories for Golang/Github.com/IceWhaleTech/CasaOS-UserService package

The Casa OS Login page has disclosed the username enumeration vulnerability in the login page which was patched in CasaOS v0.4.7.

Summary http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/1/avatar.png Originally it was to get the url of the user's avatar, but the path filtering was not strict, making it possible to get any file on the system. Details Construct paths to get any file. Such as the CasaOS user database, and furthermore can obtain system root privileges. PoC http://demo.casaos.io/v1/users/image?path=/var/lib/casaos/conf/../db/user.db Impact v0.4.6 all previous versions

Summary The Casa OS Login page has disclosed the username enumeration vulnerability in the login page. Details It is observed that the attacker can enumerate the CasaOS username using the application response. If the username is incorrect application gives the error "User does not exist", If the password is incorrect application gives the error "Invalid password". PoC Capture the login request in a tool like Burp Suit and use the …

Here it is observed that the CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server.