Security release 3.13.1 of pretix

In the past days, during security testing performed by a client, as well as thanks to an external report, we identified a number of security-relevant issues inside pretix. We therefore just released versions 3.11.1, 3.12.1, and 3.13.1 of pretix that fix these problems. We strongly recommend that you update your installation as soon as possible. If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.

There is no indiciation that any of these issues have ever been used for unauthorized data access.

#1: Hotlinking to temporary downloads [HIGH]

If you create an export through the pretix backend, the system creates a temporary file with the exported data and then allows you to download the file. During the download step, the system does not check again whether you are authorized to download that file.

Therefore, if you create and download an export in the pretix backend and then log out, an attacker with access to your browser history could download the file again. The files do have an unguessable file name (therefore access to the browser history is required) and are deleted from the server after 3 days (so the access needs to occur within that time frame).

We fixed this problem by making sure the file can only be downloaded using the session it was created in, as well as reducing the deletion interval from 72 to 24 hours.

Severity rating: We don't think this is a likely scenario for most of pretix users. Even if the pretix backend is operated from a shared computer, downloading exports comes with lots of other risks (like forgetting to delete them from the download folder). However, since this theoretically grants unauthorized access to data, we assess the severity of this issue as high.

Affected versions: All versions of pretix are affected.

This issue has been found during a pentest performed by our client Juvare.

#2: Unvalidated redirect [MEDIUM]

In the authentication component there was the possibility to redirect the user to an arbitrary other page, for example by accessing /control/login?next=http://example.org/. This would only work if the user is already logged in.

This could be used as part of a phishing attack, by linking the user to an URL that appears to be trustworthy because it is on the domain of the pretix installation but then redirects to a third-party page that asks for login credentials again.

We fixed this problem by now properly checking all redirection URLs in all places.

Severity rating: Since this bug cannot lead to a violation of permissions or a data leakage but only to a wrong perception of trust, we assess the severity of this issue as medium.

Affected versions: All released versions of pretix are affected.

This issue has been found during a pentest performed by our client Juvare.

#3: Login not rate-limited [MEDIUM]

In self-hosted versions of pretix, there used to be no rate limiting of login attempts. For pretix Hosted, we've long been rate-limiting requests to the login form on a web server level.

This release introduces a rate limit of at most 10 failed login attempts within a five minute interval per client IP address. The rate limit will only be in effect if pretix is configured to recognize the correct client IP address. Addresses from private IP space will not be rate limited.

Severity rating: Since this bug does not lead to a data leakage or direct account takeover, but might make account takeover easier, we assess the severity of this issue as medium.

Affected versions: All released versions of pretix are affected.

This issue has been identified internally.

#4: Changing passwords not rate-limited [LOW]

There used to be no rate limiting of attempts to change the password of an existing user. Therefore, after taking over an active user session, you could try as many times as you want to guess their password.

This release introduces a rate limit of at most 10 change attempts within a five minute interval per user account.

Severity rating: Since this can only lead to account takeover of an account with both a successfully stolen session as well as a weak passwort, we assess the severity of this issue as low.

Affected versions: All released versions of pretix are affected.

This issue has been reported to us by Mohsin Ali.

#5: Phishing opportunity due to markdown links [LOW]

pretix allows the use of markdown and some HTML elements in many places both in the frontend as well as in emails. The HTML is in all cases strictly sanitized to only contain allowed elements, which renders XSS or similar attacks impossible.

However, the fact that HTML/markdown can be used, leaves some room to use a pretix installation for a phishing attack. For example, someone who has gained access to the backend, could send out an email to users containing a link like this:

<a href="https://evil-phishing-site.com">https://pretix.eu/safe-link-to-click/</a>

Since the email would look very authentic (in fact, it would be originating from the correct pretix installation), most users would probably click that link, not expecting it to take them somewhere else.

This is not something we can completely fix in all cases without removing the option to include links in emails, which is a required feature. However, we are introducing a detection mechanism that will auto-detect most of these cases. In the example above, the link would now automatically be changed to this:

<a href="https://evil-phishing-site.com">https://evil-phishing-site.com</a>

Severity rating: Since exploiting this bug requires access to a backend account and does not directly lead to any data leak, we access the severity of this issue as low.

Affected versions: All released versions of pretix are affected.

This issue has been found during a pentest performed by our client Juvare.

Fixed versions

All pretix installations are affected. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 3.11, please upgrade to a recent version now.

• 3.13.1
• 3.12.1
• 3.11.1

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on twitter.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at support@pretix.eu. We will always treat your message with the appropriate priority.