Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
CVE-2024-55963: Unauthenticated RCE in Default-Install of Appsmith
Whit Taylor - Rhino SecurityPosted 11 Months Ago- Appsmith is an open-source developer tool designed to help organizations build internal applications, such as dashboards, admin panels, and customer support tools. It has three roles - admin, developer and app viewer.
- Appsmith has datasources that allows applications to use information from various databases and other endpoints - many of these run locally. One of these, configured by default, is a PostgreSQL database. The configuration of this server allows for the logging into the database as any user without providing a password. This is done via a server-side connection.
- The interaction with PostgreSQL requires a valid account. Although the app requires an invitation for current workspaces, its default configuration allows for user signup! A user can then configure their own workspaces and application to expose the vulnerable functionality.
- The application, that the user is able to create, allows for login as the superuser of Postgres via the web console. Using this, it's possible to call
cat /etc/passwdon a SQL query. Since this is the super user, it's effectively game over. - There are two other bugs but this one was by far the most interesting. Good find!
