{"id":55362,"date":"2026-05-18T14:51:38","date_gmt":"2026-05-18T14:51:38","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=55362"},"modified":"2026-05-18T14:51:38","modified_gmt":"2026-05-18T14:51:38","slug":"bichon-102-bearer-access-token-disclosure","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=55362","title":{"rendered":"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272"},"content":{"rendered":"

{“lastseen”:”2026-05-18T19:05:51″,”description”:”Bichon version 1.0.2 accepts Bearer access tokens via GET requests which has the negative side affect of being disclosed in logs, REFERER headers, and more…”,”published”:”2026-05-18T00:00:00″,”modified”:”2026-05-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:221272″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”Bichon 1.0.2 Bearer Access Token Accepted via Query String + Logged\\n ===================================================================\\n \\n Vendor: rustmailer\\n Product: Bichon – self-hosted email archiving server (Rust + TypeScript)\\n Project URL: https:\/\/github.com\/rustmailer\/bichon\\n Affected: All versions through HEAD as of 2026-05-18\\n Commit: 9daab241b0220e81e43d4b98616d77fa45ad58c7\\n Release: 1.0.2\\n Patched: Pending vendor fix\\n Severity: Medium\\n CVSS 3.1: 6.5 (AV:N\/AC:L\/PR:N\/UI:R\/S:C\/C:H\/I:L\/A:N)\\n CWE: CWE-598 (Use of GET Request Method With Sensitive\\n Query Strings)\\n CWE-532 (Insertion of Sensitive Information into\\n Log File)\\n CWE-522 (Insufficiently Protected Credentials)\\n CVE: Pending (requested via GitHub CNA)\\n Discovered: 2026-05-18 (manual source review + live verification)\\n Researcher: AoxLir \\u003ceren.demir@razesecurity.com\\u003e\\n Disclosure: Coordinated (Project Zero 90-day standard)\\n \\n \\n I. Background\\n =============\\n \\n Bichon’s REST API uses opaque Bearer access tokens (issued by the\\n \/api\/login endpoint or the \/api\/v1\/access-token endpoint) for\\n authorization on \/api\/v1\/* paths. The standard delivery mechanism is\\n the Authorization: Bearer header.\\n \\n \\n II. Vulnerability Detail\\n ========================\\n \\n In crates\/server\/src\/common\/auth.rs lines 97-106\\n (extract_client_context):\\n \\n let bearer = req\\n .headers()\\n .typed_get::\\u003cAuthorization\\u003cBearer\\u003e\\u003e()\\n .map(|auth| auth.0.token().to_string())\\n .or_else(|| req.params::\\u003cParam\\u003e()\\n .ok()\\n .map(|param| param.access_token));\\n \/* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\\n Fallback: token read from the URL query string *\/\\n \\n let token = bearer.ok_or_else(|| {\\n create_api_error_response(\\”Valid access token not found\\”,\\n ErrorCode::PermissionDenied)\\n })?;\\n \\n Where Param is:\\n \\n #[derive(Deserialize)]\\n struct Param {\\n access_token: String,\\n }\\n \\n This is explicitly discouraged by RFC 6750 (sections 2.3 and 5.3) due\\n to leakage via access logs, browser history, Referer headers, and\\n shared screenshots.\\n \\n Live testing additionally confirmed that Bichon’s own logger\\n (bichon_server::common::log) writes the full token to stdout on every\\n request – meaning that running `docker logs bichon` (which any\\n container operator has access to) exposes valid bearer tokens of all\\n users.\\n \\n \\n III. Proof of Concept\\n =====================\\n \\n Verified live against rustmailer\/bichon:1.0.2 (Docker).\\n \\n Step 1: Make an authenticated API call using ONLY the query string\\n (no Authorization header):\\n \\n $ curl -i \\\\\\n ‘http:\/\/localhost:15630\/api\/v1\/current-user?access_token=mFa5HSBUHDjG5vTDqBYAADXH’\\n \\n HTTP\/1.1 200 OK\\n content-type: application\/json; charset=utf-8\\n …\\n \\n {\\”username\\”:\\”bob\\”,\\”email\\”:\\”bob@example.com\\”, …}\\n \\n The query-string fallback fully replaces the header.\\n \\n Step 2: Inspect Bichon’s own application log:\\n \\n $ docker logs bichon-poc 2\\u003e\\u00261 | grep current-user | tail -2\\n 2026-05-18T12:01:53.748+00:00 INFO request{remote_addr=172.17.0.1\\n method=GET path=\/api\/v1\/current-user\\n query=Some(\\”access_token=mFa5HSBUHDjG5vTDqBYAADXH\\”)\\n referer=None content_length=None}:\\n request completed successfully status=200 duration=53.351us\\n \\n The token is written verbatim to stdout by the application itself.\\n No reverse proxy, CDN, or browser is needed to leak it.\\n \\n \\n IV. Impact\\n ==========\\n \\n * Any operator with `docker logs` \/ `journalctl -u bichon` access\\n immediately obtains every active bearer token. Bichon\\n deployments commonly include a non-Bichon operator (DevOps, SRE,\\n log aggregator service account). Such operator can impersonate\\n any user, including admin, until the token is revoked or expires.\\n \\n * Log shippers (Datadog, CloudWatch, Splunk, ELK, Loki, Promtail)\\n forward the raw stdout – tokens land in third-party log\\n repositories where retention, ACLs, and indexing may not be\\n aligned with the trust model of Bichon’s user data.\\n \\n * The legacy URL-leakage paths (nginx access log, browser history,\\n Referer to third parties) remain valid additional vectors.\\n \\n \\n V. Solution\\n ===========\\n \\n Two changes are recommended:\\n \\n 1. Remove the URL-query fallback in extract_client_context():\\n \\n let bearer = req\\n .headers()\\n .typed_get::\\u003cAuthorization\\u003cBearer\\u003e\\u003e()\\n .map(|auth| auth.0.token().to_string());\\n \/* drop .or_else(…) *\/\\n \\n If a separate code path genuinely needs a download-friendly token\\n in the URL (e.g. signed share links), implement a separate\\n short-lived, single-use download-token mechanism with its own scope.\\n \\n 2. Redact sensitive query parameters in the request-log middleware:\\n \\n In bichon_server::common::log, before emitting the `query` field,\\n sanitize any `access_token`, `token`, `api_key`, or `password`\\n parameter to a placeholder such as \\”[REDACTED]\\”.\\n \\n VI. Credit\\n ===========\\n \\n Discovered and reported by MrOruc, independent security researcher.\\n GitHub: https:\/\/github.com\/MrOruc\\n Email: kerim.oruc@razesecurity.com”,”sourceHref”:”https:\/\/packetstorm.news\/download\/221272″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/221272\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-05-18T19:05:51″,”description”:”Bichon version 1.0.2 accepts Bearer access tokens via GET requests which has the negative side affect of being disclosed in logs, REFERER headers, and more…”,”published”:”2026-05-18T00:00:00″,”modified”:”2026-05-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-55362","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=55362\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-05-18T19:05:51″,”description”:”Bichon version 1.0.2 accepts Bearer access tokens via GET requests which has the negative side affect of being disclosed in logs, REFERER headers, and more…”,”published”:”2026-05-18T00:00:00″,”modified”:”2026-05-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=55362\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-18T14:51:38+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=55362#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=55362\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272\",\"datePublished\":\"2026-05-18T14:51:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=55362\"},\"wordCount\":930,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=55362#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=55362\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=55362\",\"name\":\"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-05-18T14:51:38+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=55362#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=55362\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=55362#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=55362","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272 - zero redgem","og_description":"{“lastseen”:”2026-05-18T19:05:51″,”description”:”Bichon version 1.0.2 accepts Bearer access tokens via GET requests which has the negative side affect of being disclosed in logs, REFERER headers, and more…”,”published”:”2026-05-18T00:00:00″,”modified”:”2026-05-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4...","og_url":"https:\/\/zero.redgem.net\/?p=55362","og_site_name":"zero redgem","article_published_time":"2026-05-18T14:51:38+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=55362#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=55362"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272","datePublished":"2026-05-18T14:51:38+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=55362"},"wordCount":930,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=55362#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=55362","url":"https:\/\/zero.redgem.net\/?p=55362","name":"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-05-18T14:51:38+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=55362#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=55362"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=55362#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Bichon 1.0.2 Bearer Access Token Disclosure_PACKETSTORM:221272"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/55362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=55362"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/55362\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=55362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=55362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=55362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}