🔴 CRITICAL: SSL Private Key Exposed in Repository

[cwarre33]

Security Issue: SSL Private Key Committed to Repository

I've identified that your repository contains an SSL private key with an associated certificate, which is used by the SuperAdmin application.

Location

• File: private/superadmin.key
• File: private/superadmin.csr (matching certificate)
• Key URL: https://github.com/totaljs/superadmin/blob/master/private/superadmin.key

Confirmed Impact

The key is actively deployed by the application (definitions/superadmin.js):

var filename = Path.join(CONF.directory_ssl, 'superadmin.key');
Fs.copyFile(PATH.private('superadmin.key'), filename, NOOP);

And used for SSL configuration (tasks/nginx.js):

domains.push({ 
  ssl_key: CONF.directory_ssl + 'superadmin.key',
  ssl_cer: CONF.directory_ssl + 'superadmin.csr'
});

Security Risks

• 🔴 Admin Panel Impersonation - Anyone can authenticate as SuperAdmin
• 🔴 SSL Certificate Forgery - Can sign certificates as your organization
• 🟠 Managed Server Compromise - Access to servers running SuperAdmin

Immediate Actions Required

1. URGENT: Generate new SSL key pair immediately
2. Rotate certificates on all deployments
3. Update /www/ssl/superadmin.key on all servers
4. Add to .gitignore:

   private/*.key
   private/*.csr
   

5. Remove from git history using BFG Repo-Cleaner or git-filter-repo
6. Monitor for unauthorized SuperAdmin instances

Additional Context

• Verified RSA-2048 key
• Associated CSR present in repository
• Key modulus matches CSR (confirms usage)

Timeline

Following responsible disclosure practices. Given the ~100 stars and 46 forks, multiple deployments may be affected.

Let me know if you need clarification or assistance with remediation.