mirror of
https://github.com/binwiederhier/ntfy.git
synced 2026-05-09 08:26:00 +02:00
[GH-ISSUE #1316] Publicly exposed NTFY web interface allowing unauthorized publish or subscribe access. #933
Labels
No labels
ai-generated
android-app
android-app
android-app
🪲 bug
build
build
dependencies
docs
enhancement
enhancement
🔥 HOT
in-progress 🏃
ios
prio:low
prio:low
pull-request
question
🔒 security
server
server
unified-push
web-app
website
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/ntfy#933
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Remonsazzad on GitHub (Apr 21, 2025).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1316
ntfy-web-exposure
vulnerable ips :
http://147.135.1.155/settings
http://147.135.114.248/settings
http://159.203.157.154/settings
http://135.148.243.12/settings
http://142.93.11.244:8150/settings
http://135.148.48.129/settings
http://142.93.205.105/settings
http://159.65.221.152/settings
http://159.223.136.48/settings
http://172.104.11.109/settings
http://143.42.6.46/settings
http://161.35.115.143/settings
http://172.232.10.86/settings
http://172.232.9.32/settings
http://172.232.5.155/settings
http://172.232.25.41/settings
http://172.232.31.94/settings
http://108.174.61.219:8080/settings
http://172.232.11.95/settings
http://129.159.101.178/settings
http://100.26.21.146/settings
http://150.136.138.66/settings
http://107.174.26.14/settings
http://150.136.208.148/settings
http://150.136.161.59/settings
http://172.233.219.67/settings
http://172.233.234.203/settings
http://178.128.158.36/settings
http://173.255.230.134:8080/settings
http://172.233.223.21/settings
http://172.233.223.181:8092/settings
http://172.234.195.69/settings
http://172.234.207.20/settings
http://172.233.221.122/settings
http://172.234.26.66/settings
http://206.189.181.180/settings
http://178.156.149.97/settings
http://3.82.114.241/settings
http://173.211.12.34:8000/settings
http://198.12.65.10:2222/settings
http://192.3.24.21/settings
http://23.95.15.227:3051/settings
http://192.3.164.201:8001/settings
http://23.94.76.46:8080/settings
http://191.96.165.77:8150/settings
http://193.122.140.222/settings
http://192.210.197.55:2200/settings
http://45.79.141.103/settings
http://45.79.151.15/settings
http://45.33.85.167/settings
http://44.219.179.106/settings
http://45.79.151.136/settings
http://64.227.12.13/settings
http://50.116.54.38/settings
http://64.227.16.41:5005/settings
http://89.116.44.198/settings
http://67.205.164.177:8080/settings
http://66.228.41.26/settings
http://54.237.5.168/settings
https://107.172.88.145/settings
https://107.173.144.88/settings
https://135.148.33.129/settings
https://159.223.136.48/settings
https://165.22.187.87/settings
https://159.223.167.240:4444/settings
https://129.159.101.178/settings
https://159.203.157.154/settings
https://129.213.43.57/settings
https://150.136.136.191/settings
https://174.138.44.246/settings
https://172.104.26.65/settings
https://150.136.208.148/settings
https://206.189.181.180/settings
https://172.234.39.62/settings
https://172.234.24.134:4443/settings
https://172.232.14.100/settings
https://20.115.42.77/settings
https://172.245.6.104/settings
https://45.33.79.171/settings
https://45.56.103.209/settings
https://45.79.164.76/settings
https://52.207.181.82/settings
https://64.227.12.13/settings
https://66.228.41.26/settings
https://54.90.123.165/settings
https://97.107.128.213/settings
https://54.159.12.206/settings
https://52.70.23.69/settings
https://69.14.88.181/settings
@wunter8 commented on GitHub (Apr 21, 2025):
I'm not sure what you mean by this
@Remonsazzad commented on GitHub (Apr 21, 2025):
Unauthorized Publish/Subscribe Access via Exposed /settings Endpoint
Summary: A vulnerability has been identified in the publicly exposed /settings web interface, allowing unauthorized users to publish or subscribe to notifications. This lack of access control can result in unintended exposure of sensitive notifications or the ability to flood users with unwanted messages.
@wunter8 commented on GitHub (Apr 21, 2025):
The web app is a simple client and cannot make changes to the server without logging in. https://docs.ntfy.sh/faq/#can-i-disable-the-web-app-can-i-protect-it-with-a-login-screen
Those settings just change stuff in your browser instance/local storage and do not affect the server at all.
Also, I'm pretty sure all of those instance owners will not be thrilled that you've listed their IPs here.
In the future, if you believe you've found a security vulnerability, please privately message @binwiederhier or myself and don't disclose everything publicly like this.
@Remonsazzad commented on GitHub (Apr 22, 2025):
Okay