Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unrestricted connection between the Marzban-Node and Marzban-Dashboard #26

Open
mmx2004 opened this issue Dec 6, 2023 · 5 comments
Open

Comments

@mmx2004
Copy link

mmx2004 commented Dec 6, 2023

When adding a Node in the Marzban-Dashboard, it displays a Certification that ideally needs to be copied into the Node. However, even without copying this Certification, the Node can still be connected to the Dashboard and used without any issues. This presents a significant security flaw that requires immediate attention and resolution.

@SaintShit
Copy link
Contributor

@mmx2004 there are a bunch of nodes out there that don't have a copy of the certificate yet, which can cause a node stop working after updating Marzban. so, currently, we implemented the safe way and suggest users to update their nodes. we hope that the awareness about this will increase with the completion of our documentation.

@mmx2004
Copy link
Author

mmx2004 commented Dec 6, 2023

But It appears that even the previous version of Marzban-Node lacks sufficient protection against unauthorized use. With the correct version of Marzban-Dashboard, one could potentially utilize another individual's Marzban-Node, which poses a significant security concern. This situation is far from ideal and requires immediate attention to ensure proper security measures are in place.

@M03ED
Copy link

M03ED commented Dec 6, 2023

This is why marzban removed the old method for nodes , in the new version unauthorized marzban can't connect nodes.

@xshayank
Copy link

xshayank commented Dec 7, 2023

This is why marzban removed the old method for nodes , in the new version unauthorized marzban can't connect nodes.

I think they are having this issue in the new version not the old one

@SaintShit
Copy link
Contributor

But It appears that even the previous version of Marzban-Node lacks sufficient protection against unauthorized use. With the correct version of Marzban-Dashboard, one could potentially utilize another individual's Marzban-Node, which poses a significant security concern. This situation is far from ideal and requires immediate attention to ensure proper security measures are in place.

can u provide some details on how this could happen?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants