[Bug] [Security] Vulnerability Report: Authentication Bypass in SafeLine WAF Management Interface

Content

Summary

A configuration-based authentication bypass vulnerability exists in the SafeLine WAF management interface that disables authentication when the NO_AUTH environment variable is set during deployment.

Vulnerability Details

Severity: Medium
CVSS Score: 6.6 (Medium)
CWE: CWE-287 (Improper Authentication)
Affected Component: SafeLine Management Web Server
Affected File: management/webserver/main.go

Description

The SafeLine management web server contains logic that bypasses authentication middleware when any NO_AUTH environment variable is present with a non-empty value . This appears to be intended for development or testing purposes but creates a potential security risk in production deployments.

Impact

If exploited through deployment configuration, this vulnerability would provide:

Administrative access to protected API endpoints
Control over website configuration and SSL certificate management
Ability to modify WAF policy rules and security settings

Attack Scenarios

This vulnerability requires access to the deployment environment and is exploitable in these scenarios:

Supply Chain Compromise: Malicious modification of deployment scripts or Docker Compose files
Insider Threats: Intentional misuse by personnel with deployment access
CI/CD Pipeline Compromise: Injection through compromised deployment pipelines
Configuration Management Issues: Accidental inclusion in production deployments

Proof of Concept

1# In Docker Compose deployment
2environment:
3  - NO_AUTH=1
4
5# Or via environment variable
6export NO_AUTH=true

Recommended Fixes

Option 1: Complete Removal (Recommended)

Remove the authentication bypass logic entirely:

1limitedRouters := r.Group("/api")
2limitedRouters.Use(middleware.AuthRequired)

Option 2: Development Environment Restriction

If needed for development, restrict to development environments:

1if os.Getenv("ENVIRONMENT") == "development" && os.Getenv("NO_AUTH") != "" {
2    logger.Warn("No auth - development mode only")
3} else {
4    limitedRouters.Use(middleware.AuthRequired)
5}

CVSS v3.1 Breakdown

Attack Vector: Local (L) - requires deployment environment access
Attack Complexity: Low (L) - simple configuration change
Privileges Required: High (H) - needs deployment privileges
User Interaction: None (N)
Scope: Changed (C) - affects entire WAF system
Impact: High (H) for confidentiality, integrity, and availability

Base Score: 6.6 (Medium)

Timeline

Discovery Date: 28.09.2025
Vendor Notification: 28.09.2025

References

SafeLine Repository: https://github.com/chaitin/SafeLine
CWE-287: https://cwe.mitre.org/data/definitions/287.html

Credit

Discovered by: Martin Aberastegue / Torito

Note: While this vulnerability requires privileged access to exploit, it represents a configuration security risk that should be addressed to maintain defense-in-depth principles for a security product.

Citations

File: management/webserver/main.go (L162-167)

1	noAuth, existed := os.LookupEnv("NO_AUTH")
2	if existed && len(noAuth) >= 0 {
3		logger.Warn("No auth")
4	} else {
5		limitedRouters.Use(middleware.AuthRequired)
6	}

File: management/webserver/main.go (L174-188)

1	limitedRouters.GET(api.User, api.GetUser)
2
3	limitedRouters.GET(api.DetectLogList, api.GetDetectLogList)
4	limitedRouters.GET(api.DetectLogDetail, api.GetDetectLogDetail)
5
6	limitedRouters.POST(api.Website, api.PostWebsite)
7	limitedRouters.PUT(api.Website, api.PutWebsite)
8	limitedRouters.DELETE(api.Website, api.DeleteWebsite)
9	limitedRouters.GET(api.Website, api.GetWebsite)
10
11	limitedRouters.POST(api.UploadSSLCert, api.PostUploadSSLCert)
12	limitedRouters.POST(api.SSLCert, api.PostSSLCert)
13
14	limitedRouters.POST(api.PolicyRule, api.PostPolicyRule)
15	limitedRouters.PUT(api.PolicyRule, api.PutPolicyRule)