漏洞描述
Checks if the Remotely self-hosted remote desktop and collaboration web application has its user registration endpoint enabled, potentially allowing anyone to register without invitation.
remotely-registration-enabled: Remotely Registration Enabled
PoC代码[已公开]
id: remotely-registration-enabled
info:
name: Remotely Registration Enabled
author: ritikchaddha
severity: high
description: |
Checks if the Remotely self-hosted remote desktop and collaboration web application has its user registration endpoint enabled, potentially allowing anyone to register without invitation.
impact: |
Enabling open registration on Remotely instances may allow unauthorized users to register and gain access to the application, depending on configuration.
remediation: |
Disable open registration if not required by setting 'RequireInvitationCodeForRegistration' to true in the Remotely configuration.
reference:
- https://github.com/lucent-sea/Remotely
- https://github.com/lucent-sea/Remotely/blob/master/README.md
metadata:
verified: true
max-request: 2
vendor: lucent-sea
product: remotely
framework: aspnetcore
shodan-query: title:"Remotely"
tags: remotely,registration,exposure,misconfig
http:
- method: GET
path:
- '{{BaseURL}}/Identity/Account/Register'
- '{{BaseURL}}/Account/Register'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'Create a new account.'
- 'Remotely'
condition: and
- type: word
part: body
words:
- 'Registration is disabled.'
negative: true
- type: status
status:
- 200
# digest: 490a0046304402201ea043c4d8995ad27cd11b39f9435f458b5e91dd280fa3778362c329da36cc7802204fb0f731b0aa82a24d242c69befacd29812d50cdfea16b0817dbe5a1e6c33cd2:922c64590222798bb761d5b6d8e72950