Account Owner Email Adrress Leakage Lead To Improper Access Control in kiwitcms/kiwi
Reported on
Apr 15th 2023
Description
hi team, when i try to create users for on https://public.tenant.kiwitcms.org/admin/auth/user/<yourid>/change/ i see that the users are not properly authenticated. i can create users with the same firstname,lastname, and email. normally, when we create the same users it should error with the response users already and email already, this belongs to the business logic vulnerability as well. i can also create users with account owner email address admin@kiwitcms.org and it works. now i have users with account owner email address kiwitcms.org
Proof of Concept
1. go to create account and go to my profile
1. enter your firtsname like test and lastname demo and email You can use admin@kiwitcms.org up to 3 times
1. successfully to create users with the same email address and firstname, lastname
# Impact
Attackers can arbitrarily and without the victim's consent make new users use their email.
hi team, I forgot to add the registration url here url https://public.tenant.kiwitcms.org/accounts/login/?next=/ you can create a new account then go to my profile and create new users like I did above
Best Regards, Gemilang.
I acknowledge that there is a security issue here, however the original description and assessment is incorrect IMO. An unverified email address can be used after account creation, not before that or during the registration step.
Issue description:
- After registration users are able to update their profile information, including the email address associated with their own account via a so called "My profile" page.
- Upon updating the email address on the page above email ownership isn't verified like it is on the registration page for example.
- The result is that registered users can change their addresses to whatever they like.
From the original report it isn't obvious:
- that email addresses for other accounts registered in the system can be leaked
- that an account with a spoofed email address will have their access control/permissions elevated (permissions are either assigned via groups or directly on the account and have nothing to do with email addresses)
I've adjusted the Severity and the CWE to the best of my understanding and to better match what's actually happening. Feel free to provide more detailed explanation & steps to exploit the vulnerability further if you don't agree.
Hi @atodorov Thank you for the fast response, I would like to know if this will be eligible for CVE? thank you so much.
If there's a way I can help, please don't hesitate to reach me out.
Thank you
CVE number is CVE-2023-30544 and is managed via https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg when it gets published.