Security release 4.11.1 of pretix

5. Juli 2022

In the past days, we identified a security-relevant issue inside pretix. We therefore just released versions 4.11.1, 4.10.1, and 4.9.1 of pretix that fix these problems. We strongly recommend that you update your installation as soon as possible. If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you only need to take action if you have custom code using the API (see below).

We treat this as a serious security issue because it could lead to unauthorized access to your event. However, we want to clarify that this issue does not lead to any unauthorized access of personal data or to any deletion of data. While we can't give any binding legal guidance, we therefore do not think that it is necessary that you notify your users or any authorities about this.

We have found no indication that this issue has been found and exploited by someone other than us before.

#1: Incorrect handling of scanned barcodes [HIGH]

When a ticket QR code is scanned, for example through our official pretixSCAN apps, the QR code is decoded and the contents are sent to our API. The API call is made to an URL that looks like /api/v1/…/checkinlists/1/positions/<VALUE>/redeem/. In this URL, <VALUE> is replaced with the decoded contents of the QR code. Our backend will then figure out if there is a ticket with this QR code and return a response with details on the ticket (or an error message). However, the API is designed to support multiple use cases, and also allows sending <VALUE> as the internal ID of a ticket instead of the ticket QR code.

Unlike the ticket QR code, the internal ID of a ticket is not a well-kept secret and doesn't change if a ticket is transferred to another person. Therefore, anyone who finds out a valid internal ticket ID (through guessing, or through previous access to a ticket), can create a QR code containing the internal ticket ID. This QR code will also be accepted for this ticket by our pretixSCAN apps, since the API will be able to find the ticket and return the correct information.

Mitigations:

Unfortunately, we can't just change how the API works without prior notice, because this would risk breaking valid workflows of customers directly using the API. However, as we need a solution for this problem right away, we've implemented the following mitigations:

The API now supports a new query parameter ?untrusted_input=true. If this parameter is set, the <VALUE> will always be treated as a ticket QR code, and never as a ticket ID. If you maintain a third-party component that uses the ticket redemption API for handling barcode input, you should change your implementation to include this parameter as soon as possible.
The flag untrusted_input=true will be set automatically for all devices registered with "pretixSCAN" in their software_brand attribute. This ensures that the new protection is active immediately after upgrading the pretix server, and there is no need to rush with updating all scanner apps.
In one of the next releases, we will completely refactor this part of the API and slowly deprecate the old version in order to prevent people from forgetting to set the new flag.

Severity rating: Since this bug cannot lead to a violation of permissions or a data leakage but still compromises the physical security of the event, we assess the severity of this issue as high.

Affected versions: All supported versions of pretix are affected.

Fixed versions

All pretix installations are affected. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 4.9, please upgrade to a recent version now.

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on twitter.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at security@pretix.eu. We will always treat your message with the appropriate priority.

Raphael Michel

Raphael ist der Gründer und Haupt-Entwickler von pretix. Er begeistert sich für benutzerfreundliche, elegante Software und wenn er nicht zu beschäftigt mit pretix ist, organisiert er gerne selbst Konferenzen mit.