Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Gitea Public Registration Enabled

By kannthu

High
Vidoc logoVidoc Module
#misconfig#gitea
Description

What is "Gitea Public Registration Enabled?"

The "Gitea Public Registration Enabled" module is a test case designed to detect a misconfiguration in the Gitea software. Gitea is a self-hosted Git service that allows users to create and manage repositories. This module focuses on the specific misconfiguration where public registration is enabled, allowing arbitrary users to sign up and read code hosted on the service. The severity of this misconfiguration is classified as high.

This module was authored by edoardottt.

Impact

If the "Gitea Public Registration Enabled" module detects that public registration is enabled, it indicates a potential security vulnerability. This misconfiguration can lead to unauthorized access to sensitive code and data hosted on the Gitea service. It is important to address this issue promptly to prevent unauthorized users from gaining access to confidential information.

How the module works?

The "Gitea Public Registration Enabled" module works by sending an HTTP GET request to the "/user/sign_up" endpoint of the target Gitea instance. It then applies a series of matching conditions to determine if the misconfiguration is present.

Here is an example of the HTTP request sent by the module:

GET /user/sign_up

The module applies the following matching conditions:

- Matcher 1: It checks if the response contains the phrases "Powered by Gitea Version" and "Register -". - Matcher 2: It checks if the response body does not contain the phrase "Registration is disabled. Please contact your site administrator." - Matcher 3: It checks if the response status code is 200.

If all the matching conditions are met, the module reports the presence of the misconfiguration.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/user/sign_up
Matching conditions
word: Powered by Gitea Version, Register -and
NOT word: Registration is disabled. Please contact...and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability