Account Owner Email Adrress Leakage Lead To Improper Access Control in kiwitcms/kiwi

Valid

Reported on

Apr 15th 2023

Description

hi team, when i try to create users for on https://public.tenant.kiwitcms.org/admin/auth/user/<yourid>/change/ i see that the users are not properly authenticated. i can create users with the same firstname,lastname, and email. normally, when we create the same users it should error with the response users already and email already, this belongs to the business logic vulnerability as well. i can also create users with account owner email address admin@kiwitcms.org and it works. now i have users with account owner email address kiwitcms.org

Proof of Concept

1. go to create account and go to my profile
1. enter your firtsname like test and lastname demo and email You can use admin@kiwitcms.org up to 3 times
1. successfully to create users with the same email address and firstname, lastname


# Impact

Attackers can arbitrarily and without the victim's consent make new users use their email.
We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. a month ago
novemberdad
a month ago

Researcher

hi team, I forgot to add the registration url here url https://public.tenant.kiwitcms.org/accounts/login/?next=/ you can create a new account then go to my profile and create new users like I did above

Best Regards, Gemilang.

novemberdad modified the report
a month ago
novemberdad modified the report
a month ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back a month ago
Alexander Todorov modified the Severity from High (8.9) to None (0) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alexander Todorov validated this vulnerability a month ago

I acknowledge that there is a security issue here, however the original description and assessment is incorrect IMO. An unverified email address can be used after account creation, not before that or during the registration step.

Issue description:

  • After registration users are able to update their profile information, including the email address associated with their own account via a so called "My profile" page.
  • Upon updating the email address on the page above email ownership isn't verified like it is on the registration page for example.
  • The result is that registered users can change their addresses to whatever they like.

From the original report it isn't obvious:

  • that email addresses for other accounts registered in the system can be leaked
  • that an account with a spoofed email address will have their access control/permissions elevated (permissions are either assigned via groups or directly on the account and have nothing to do with email addresses)

I've adjusted the Severity and the CWE to the best of my understanding and to better match what's actually happening. Feel free to provide more detailed explanation & steps to exploit the vulnerability further if you don't agree.

novemberdad has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alexander Todorov marked this as fixed in 12.2 with commit 20c3e3 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on May 8th 2023
novemberdad
a month ago

Researcher

Hi @atodorov Thank you for the fast response, I would like to know if this will be eligible for CVE? thank you so much.

If there's a way I can help, please don't hesitate to reach me out.

Thank you

Alexander
a month ago

Maintainer

CVE number is CVE-2023-30544 and is managed via https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-7x6q-3v3m-cwjg when it gets published.

Alexander Todorov published this vulnerability 18 days ago
to join this conversation