id: teamcity-registration-enabled

info:
  name: JetBrains TeamCity - Registration Enabled
  author: Ph33r
  severity: high
  description: |
    JetBrains TeamCity allows all visitors to register due to a misconfiguration.
  reference:
    - https://ph33r.medium.com/misconfig-in-teamcity-panel-lead-to-auth-bypass-in-apache-org-0day-146f6a1a4e2b
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 7.30
    cwe-id: CWE-200
  metadata:
    verified: true
    shodan-query: http.component:"TeamCity"
  tags: misconfig,auth-bypass,teamcity,jetbrains

requests:
  - raw:
      - |
        GET /registerUser.html?init=1 HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 2
    matchers:
      - type: word
        words:
          - '<title>Register a New User Account ? TeamCity</title>'

# Enhanced by mp on 2022/07/21