Security: Fix admin authentication bypass vulnerabilities #116
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
August 14, 2025 09:22
Critical security fix addressing CWE-200 (Information Exposure): Changes made: - Implement mandatory authentication for sensitive admin operations - Add requiresAuthentication() method to categorize command sensitivity levels - Implement isAuthenticated() validation against configured admin credentials - Add proper HTTP 401 Unauthorized responses for failed authentication - Enhance localhost-only connection validation - Add support for multiple authentication methods (password, token-based) - Prevent unauthorized access to router statistics and peer information - Deny access when no admin authentication is configured Security improvements: - Statistics/profile access now requires authentication - Shutdown commands retain existing password validation - Proper error handling and logging for authentication failures - Framework for enhanced token-based authentication - Prevents information disclosure to unauthenticated users Protected operations: - /shutdown - System shutdown (existing password validation) - /profile/ - Peer profile information (new auth requirement) - routerStats.html - Router statistics (new auth requirement) - oldstats.jsp - Legacy statistics (new auth requirement) This fix prevents unauthorized access to sensitive router information and administrative functions by requiring proper authentication for all sensitive admin interface commands. Author: Lance James, Unit 221B, Inc
Added missing InetAddress import for admin authentication security fix. Author: Lance James, Unit 221B, Inc
|
Thanks for the PR. The apps/admin dir is ancient unused code from jrandom that was moved out of the router in 2009 and put here in case anybody wanted it. It is not shipped in any binary. I'm going to do an alternative "fix" by deleting the whole thing. The supported admin interfaces are the web console and i2pcontrol. |
github-actions bot
pushed a commit
to eyedeekay/i2p.i2p
that referenced
this pull request
Aug 22, 2025
removed from the router in 2009, not shipped in binaries ref: Github PR i2p#116
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Security Fix: Admin Authentication Bypass
Vulnerability Summary
Fixes missing authentication checks in admin interface that allowed unauthorized access to sensitive operations including router statistics and admin commands.
CVSS Score
Medium Severity (5.3) - Information Disclosure through missing access controls
Changes Made
Security Impact
Testing
Files Modified
apps/admin/java/src/net/i2p/router/admin/AdminRunner.javaAuthor: Lance James, Unit 221B, Inc - aka 0x90