The UI Performs the Wrong Action in zikula/core

Valid

Reported on

Sep 28th 2021


Description

Sensitive data on the application can be exposed after the user logs

Proof of Concept

// PoC
1 Login to the application
2 Goto page like My Account
3 Click logout
4 Click browser back button

Impact

When a user logs out without closing the browser someone can view the information inside by clicking the back button on the browser.

We have contacted a member of the zikula/core team and are waiting to hear back 2 months ago
We have contacted a member of the zikula/core team and are waiting to hear back 2 months ago
Axel
2 months ago

Maintainer


Hello and thank you for reporting, I doubt that this can be prevented from server-side because Firefox is just showing the old page from its client cache. When you reload or click on another link/button it does not happen, since the session is gone.

lethanhphuc
2 months ago

Researcher


Correct. You can add a refresh event when the user has logged out and click the back button on the browser. Sensitive data here can generally be user information, credit cards, ..

Axel
2 months ago

Maintainer


A client-side event handler can't be a solid solution as it can be disabled.

lethanhphuc
2 months ago

Researcher


Yes. The back-end can solve this issue. You can try use cache header like:

<?php addHeader("Cache-Control", "no-cache, no-store, must-revalidate"); ?>
Axel
2 months ago

Maintainer


So the actual fix would be disabling any kind of cache inside the browser (unless using a proxy). We had another report of that here: https://huntr.dev/bounties/c4371a9a-e355-4869-928c-8c275cf7beb4/ Will need to check with the team about that.

lethanhphuc
2 months ago

Researcher


Yes. The cache should disable. More config for cache header like :

<?php
header('Cache-Control','nocache, no-store, max-age=0, must-revalidate')
            ->header('Pragma','no-cache')
            ->header('Expires','Sun, 02 Jan 1990 00:00:00 GMT');
?>
Axel Guckelsberger validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger confirmed that a fix has been merged on f085bb 2 months ago
Axel Guckelsberger has been awarded the fix bounty