Vulnerability Disclosure affecting BTCPay Server <= v1.0.7.0

Posted in Announcements by pavlenex on 4/30/2021

On March 30th, we released BTCPay Server v1.0.7.1. This version was a security release that patched one critical, one medium and several low-impact vulnerabilities in all BTCPay Server versions prior to v.1.0.7.1 (opens new window).

If you're a BTCPay Server user running a version older than v.1.0.7.1, we strongly recommend that you update your instance. To update, go to Server Settings > Maintenance tab and click Update or use the command btcpay-update.sh in the command line.

# ⏱️ Timeline

  1. 19.03. - Vulnerabilities responsibly disclosed by Tesla's security engineering team.
  2. 19.03. - BTCPay Server team acknowledged the findings and started investigating.
  3. 19.03. - BTCPay Server team confirmed vulnerabilities.
  4. 20.03-23.03 -BTCPay Server and Tesla security engineering team work together to patch the vulnerabilities and determine further steps.
  5. 24.03 - Tesla security requests filing of the 6 CVE-IDs for disclosed issues.
  6. 25.03 - Tesla Security team assist in filing the CVE-IDs with MITRE.
  7. 26.03 - 6 CVE-IDs reserved with MITRE.
  8. 30.03 - BTCPay Server v1.0.7.1 released that patches all vulnerabilities
  9. 30.03 - BTCPay Server publicly acknowledged the findings and announced a new release urging affected users to update in order to mitigate.

In this article, we are disclosing the vulnerabilities.

# CVE-2021-29251 (Account takeover)

A malicious party could generate an email asking for a password reset to the victim. If the victim clicked on the link in the mail (or if some anti-virus email software automatically visited such link), then the targeted account could be taken over.

  • Details: Host header manipulation (Host, X-Forwarded- Host, and X-Forwarded-For) which allows an attacker to spoof password reset URL which leads to an account takeover with either no user interaction under certain circumstances where enterprise mail clients are used or with single-click user interaction.
  • Users affected: Users running docker deployment, that have email server settings set up and share their instance with other users.
  • Impact: Account takeover / Escalation of Privileges
  • Severity: Critical
  • Affected versions <= 1.0.7.1

# CVE-2021-29246 (Path Traversal)

BTCPay Server was not properly validating file name in upload forms, which could result in uploaded files to be saved in arbitrary location on the server. The forms needed admin permission.

  • Details: BTCPay versions <= 1.0.7.0 suffers from directory traversal which allows an attacker with admin privileges to craft a malicious plugin file with special characters to upload the file outside of the restricted directory which leads to code execution.
  • Impact: Code Execution
  • Severity: Medium
  • Affected versions <= 1.0.7.1

# CVE-2021-29250 (Stored XSS)

XSS vulnerability in the Point of Sale feature.

  • Details: BTCPay versions <= 1.0.7.0 suffer from Stored Cross-Site Scripting (XSS) vulnerability within POS Add Products functionality which enables cookie stealing.
  • Impact: Cross Site Scripting (XSS)
  • Severity: Medium
  • Affected versions <= 1.0.7.1

# CVE-2021-29245 (Insufficient Randomness)

The generation of legacy API Keys and the selection of UTXOs in Payjoin were using a weak RNG.
Legacy API Key can only be used to generate new invoices. If you use those, we advise you to regenerate a new API Key for your store.

  • Details: Method GenerateLegacyAPIKey at TokenRepository.cs uses a weak method Next to produce random values.
  • Impact: Other/API
  • Severity: Low
  • Affected versions <= 1.0.7.1

# CVE-2021-29247 (Lack of httponly)

A cookie we are using for saving preferences of users (such as the search string in the invoices page) could be used from javascript because it was missing the httponly flag.

  • Details: BTCPay versions <= 1.0.7.0 could allow a remote attacker to obtain sensitive information caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.
  • Severity: Low
  • Affected versions <= 1.0.7.1

# CVE-2021-29248 (Lack of secure)

  • Details: BTCPay versions <= 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the Secure flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.
  • Severity: Low
  • Affected versions <= 1.0.7.1

# CVE-2021-29250 (Stored XSS)

XSS vulnerability in the Point of Sale feature.

  • Details: BTCPay versions <= 1.0.7.0 suffer from Stored Cross-Site Scripting (XSS) vulnerability within POS Add Products functionality which enables cookie stealing.
  • Impact: Cross Site Scripting (XSS)
  • Severity: Medium
  • Affected versions <= 1.0.7.1

# No rate limit of forget password page

This vulnerability was reported by Qaiser Abbas, an independent researcher.

  • Details: The forget password page was not properly rate-limiting the attempts, resulting in a malicious user mail bombard the victim with forget password emails.
  • Severity: Low
  • Affected versions <= 1.0.7.1

# Summary

We would like to thank Tesla for submitting the disclosure that led to these fixes and helping us with remediation. We also want to thank Qaiser Abbas, an independent web-security researcher, for an additional responsible vulnerability disclosure that was handled in this release.

As an open-source project the privacy and security of our users and community are our priority and we're investing efforts in further improving our security processes, including the creation of a bug-bounty program.

Thank you! 💚

Last Updated: 7/30/2021, 5:29:09 PM