Package Instance

Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
Using the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code, without being authenticated.

With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways.  It could be used to gain access to the Panel's server, read credentials from the Panel's config (`.env` or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc.

Cross-Site Request Forgery (CSRF)
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.

Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
Pterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked.

Cross-Site Request Forgery (CSRF)
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go.This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed

Pterodactyl panel's admin area vulnerable to Cross-site Scripting
Importing a malicious egg or gaining access to wings instance could lead to XSS on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted:
- Egg Docker images
- Egg variables:
- Name
- Environment variable
- Default value
- Description
- Validation rules

Additionally, certain fields would reflect malicious input, but it would require the user knowingly entering such input to have an impact.

To iterate, this would require an administrator to perform actions and can't be triggered by a normal panel user.

Pterodactyl improperly locks resources allowing raced queries to create more resources than alloted
Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle.

However, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time.

As a result a server would be able to create more databases, allocations, or backups than configured.

Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization
A missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with.

Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes.

_This vulnerability requires a user to acquire a secret access token for a node. We rated this issue based on potential worst outcome. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token._

Pterodactyl vulnerable to 2FA Sniffing
**Pterodactyl version 0.7.13 and lower - 2FA Sniffing**

Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.

### Impact
Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.

A logical mistake was made when the original code was written that would wait to verify the user's password until they had provided 2FA credentials if it was enabled on their account. However, because of this you could enter a bad password for a known email and determine if the account exists if you got redirected to a 2FA page.

### For more information
If you have any questions or comments about this advisory please react out on Discord or email dane@[project name].io.

Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host”
When an administrative user creates a new database host they are prompted to provide a `Host` value which is expected to be a domain or IP address. When an invalid value is encountered and passed back to `gethostaddr` and/or directly to the MySQL connection tooling, an error is returned. This error is then passed back along to the front-end, but was not properly sanitized when rendered.

Therefore it is possible for an admin to _knowingly_ paste a malicious payload such as `<script>prompt(document.domain)</script>` into the `Host` field and XSS themselves.

Pterodactyl TOTPs can be reused during validity window
When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently marked as used in the system allowing an attacker that intercepts that token to then use it in addition to a known username/password during the token validity window.

This vulnerability requires that an attacker already be in possession of a valid username and password combination, and intercept a valid 2FA token (for example, during a screen share). The token must then be provided in addition to the username and password during the limited token validity window. The validity window is ~60 seconds as the Panel allows at most one additional window to the current one, each window being 30 seconds.

Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled
When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent.  While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text.

If a malicious user obtains access to these logs they could *potentially* authenticate against a user's account; assuming they are able to discover the account's email address or username **separately**.

Insufficient Session Expiration in Pterodactyl API
### Impact
A vulnerability exists in Pterodactyl Panel `<= 1.6.6` that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to.

It is important to note that **a malicious user must first compromise an existing API key for a user to exploit this issue**. It cannot be exploited by chance, and requires a coordinated attack against an individual account using a known API key.

### Patches
This issue has been addressed in the `v1.7.0` release of Pterodactyl Panel.

### Workarounds
Those not wishing to upgrade may apply the change below:

```diff
diff --git a/app/Http/Middleware/Api/AuthenticateKey.php b/app/Http/Middleware/Api/AuthenticateKey.php
index eb25dac6..857bfab2 100644
--- a/app/Http/Middleware/Api/AuthenticateKey.php
+++ b/app/Http/Middleware/Api/AuthenticateKey.php
@@ -70,7 +70,7 @@ class AuthenticateKey
         } else {
             $model = $this->authenticateApiKey($request->bearerToken(), $keyType);

-            $this->auth->guard()->loginUsingId($model->user_id);
+            $this->auth->guard()->onceUsingId($model->user_id);
         }
```

### For more information
If you have any questions or comments about this advisory please reach out to `Tactical Fish#8008` on [Discord](https://discord.gg/pterodactyl) or email `dane@pterodactyl.io`.

Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change
Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.
This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.