Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users gets placed into other's account #5192

Open
3 tasks done
Krstf01 opened this issue Aug 22, 2024 · 5 comments
Open
3 tasks done

Users gets placed into other's account #5192

Krstf01 opened this issue Aug 22, 2024 · 5 comments
Labels
not confirmed Report seems plausible but requires additional testing or 3rd part confirmation.

Comments

@Krstf01
Copy link

Krstf01 commented Aug 22, 2024

Current Behavior

Today every user got placed into one customer's account including me too (admin).
This happened before while we tested this, and was not able to recreate this issue, it seems happening randomly. Is this some well known issue, or unknow?
Also worth mentioning i have "stellar" theme installed.

Expected Behavior

The expected is to not put everyone into one user's account, obviously.

Steps to Reproduce

Install stellar theme
Have multiple users registered
Log in
Close the page
Open the panel again
(it happens rarely, but if someone gets into one of the admin's account, thats a serious vulnerability i think)

Panel Version

1.11.7

Wings Version

1.11.13

Games and/or Eggs Affected

No response

Docker Image

No response

Error Logs

No response

Is there an existing issue for this?

  • I have searched the existing issues before opening this issue.
  • I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
  • I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.
@Krstf01 Krstf01 added the not confirmed Report seems plausible but requires additional testing or 3rd part confirmation. label Aug 22, 2024
@MackenzieMolloy
Copy link

Steps to Reproduce
Install stellar theme

Are you able to reproduce this issue with no modifications made to Pterodactyl's source code?

If not, it's an issue either with your installation of the theme or the theme it's self and thus you should contact the theme author.

@danny6167
Copy link
Member

This is likely an issue with your modification, or some kind of proxy or other component specific to your setup that is misbehaving.

Nobody else has ever reported anything like this happening.

@Mutex21
Copy link

Mutex21 commented Aug 27, 2024

Do you have any layer7 protection installed on your system? Also, are you behind proxy or Cloudflare?

@MrRinkana
Copy link

I can consistently recreate this issue. It seems to me like pterodactyl trusts source ip too much.
I have an unmodified install.

Sequence:

  1. Log in as a user "A"
  2. From the same external ip, for example by being in the same wifi, vpn or behind the same cg-nat (and such): open the login form on a different computer, and try to log in as user "B".
  3. If pterodactyl panel answers with "error, could not log in", reloading the page with F5 logs in as user A, skipping password and 2fa.
  4. logging out logs the user from device in step 1 as well.
  5. Attempting the steps again the problem does not seem to occur. I'm still investigating triggers.

I discovered this the first time when I had created an account for a family member (leaving the password field empty, such that they would set it up from the email). My family member had trouble setting the password (it gave an error) but then when the browser was F5:d he suddenly was logged in on my admin account, skipping password or 2fa.

Does pterodactyl not use a session in the browser? A cookie? I don't understand how this is possible even if a reverse proxy is incorrectly setup.

@MackenzieMolloy
Copy link

MackenzieMolloy commented Dec 31, 2024
edited
Loading

I can consistently recreate this issue. It seems to me like pterodactyl trusts source ip too much. I have an unmodified install.

Sequence:

  1. Log in as a user "A"
  2. From the same external ip, for example by being in the same wifi, vpn or behind the same cg-nat (and such): open the login form on a different computer, and try to log in as user "B".
  3. If pterodactyl panel answers with "error, could not log in", reloading the page with F5 logs in as user A, skipping password and 2fa.
  4. logging out logs the user from device in step 1 as well.
  5. Attempting the steps again the problem does not seem to occur. I'm still investigating triggers.

I discovered this the first time when I had created an account for a family member (leaving the password field empty, such that they would set it up from the email). My family member had trouble setting the password (it gave an error) but then when the browser was F5:d he suddenly was logged in on my admin account, skipping password or 2fa.

Does pterodactyl not use a session in the browser? A cookie? I don't understand how this is possible even if a reverse proxy is incorrectly setup.

Could you provide a screenshot featuring this error, could not log in message?

As I do not recognise this specific phrase as an error message (For example, do you mean the simple No account matching those credentials could be found?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not confirmed Report seems plausible but requires additional testing or 3rd part confirmation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@danny6167 @MrRinkana @MackenzieMolloy @Mutex21 @Krstf01