Language Dropdown Menu Manipulation in froxlor/froxlor

Valid

Reported on

Jan 27th 2023


Hello

It is possible to manipulate the Language Dropdown Menu and change it to anything the attacker wants.

Process of the Vulnerability:

  1. Login
  2. Go Miscellaneous -> Email & file templates
  3. Add Template -> Change & Save and intercept the Request
  4. Change the Language to anything you want

Lets see :)

As you can see there are specific Languages nobody can select anything else.

Lets put HACKED inside it :)

The language is now HACKED lets see

AS you can see the language is now HACKED and it got accepted even if we have a Dropdown Menu with specific Languages to choose from

Thank you for watching :)

Best regards Ahmed Hassan

Impact

Hello

It is possible to manipulate the Language Dropdown Menu and change it to anything the attacker wants.

Process of the Vulnerability:

  1. Login
  2. Go Miscellaneous -> Email & file templates
  3. Add Template -> Change & Save and intercept the Request
  4. Change the Language to anything you want

Lets see :)

As you can see there are specific Languages nobody can select anything else.

Lets put HACKED inside it :)

The language is now HACKED lets see

AS you can see the language is now HACKED and it got accepted even if we have a Dropdown Menu with specific Languages to choose from

Thank you for watching :)

Best regards Ahmed Hassan

We are processing your report and will contact the froxlor team within 24 hours. a year ago
Michael
a year ago

Why would you select "integrity: high" here? What files can be read/modified? The only impact i can see is that the template just not being used because no customer has the language "HACKED". Also, adding templates is an admin-privileged compoonent, which would set "required permissions" to high, leading to: https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Ahmed Hassan
a year ago

Researcher


Because the Dropdown Menu should not be able to manipulate and this should be fixed. Therefore the Intigrity is hit cause some "fixed" Data which should be not allowed to change was manipulated.

Michael
a year ago

okay, fair enough. Do you agree on this requiring high privileges though?

Ahmed Hassan
a year ago

Researcher


definitely yeah cause the template was generated by the admin account (the highest User or Administrator) and this is a high privilege account and the highest in the whole Application.

Michael Kaufmann modified the Severity from High (7.1) to Medium (5.5) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Michael Kaufmann validated this vulnerability a year ago
ahmedvienna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.10 with commit 2feb80 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation