The UI Performs the Wrong Action in zikula/core

Valid

Reported on

Sep 28th 2021

Description

Sensitive data on the application can be exposed after the user logs

Proof of Concept

// PoC
1 Login to the application
2 Goto page like My Account
3 Click logout
4 Click browser back button

Impact

When a user logs out without closing the browser someone can view the information inside by clicking the back button on the browser.

We have contacted a member of the zikula/core team and are waiting to hear back 2 years ago

Axel Guckelsberger Axel

commented 2 years ago

Maintainer

Hello and thank you for reporting, I doubt that this can be prevented from server-side because Firefox is just showing the old page from its client cache. When you reload or click on another link/button it does not happen, since the session is gone.

lethanhphuc

commented 2 years ago

Researcher

Correct. You can add a refresh event when the user has logged out and click the back button on the browser. Sensitive data here can generally be user information, credit cards, ..

Axel Guckelsberger Axel

commented 2 years ago

Maintainer

A client-side event handler can't be a solid solution as it can be disabled.

lethanhphuc

commented 2 years ago

Researcher

Yes. The back-end can solve this issue. You can try use cache header like:

<?php addHeader("Cache-Control", "no-cache, no-store, must-revalidate"); ?>

Axel Guckelsberger Axel

commented 2 years ago

Maintainer

So the actual fix would be disabling any kind of cache inside the browser (unless using a proxy). We had another report of that here: https://huntr.dev/bounties/c4371a9a-e355-4869-928c-8c275cf7beb4/ Will need to check with the team about that.

lethanhphuc

commented 2 years ago

Researcher

Yes. The cache should disable. More config for cache header like :

<?php
header('Cache-Control','nocache, no-store, max-age=0, must-revalidate')
            ->header('Pragma','no-cache')
            ->header('Expires','Sun, 02 Jan 1990 00:00:00 GMT');
?>

Axel Guckelsberger validated this vulnerability 2 years ago

lethanhphuc has been awarded the disclosure bounty

The fix bounty is now up for grabs

Axel Guckelsberger marked this as fixed with commit f085bb 2 years ago

Axel Guckelsberger has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the zikula/core team and are waiting to hear back 2 years ago

Axel Guckelsberger Axel

commented 2 years ago

Maintainer

lethanhphuc

commented 2 years ago

Researcher

Correct. You can add a refresh event when the user has logged out and click the back button on the browser. Sensitive data here can generally be user information, credit cards, ..

Axel Guckelsberger Axel

commented 2 years ago

Maintainer

A client-side event handler can't be a solid solution as it can be disabled.

lethanhphuc

commented 2 years ago

Researcher

Yes. The back-end can solve this issue. You can try use cache header like:

<?php addHeader("Cache-Control", "no-cache, no-store, must-revalidate"); ?>

Axel Guckelsberger Axel

commented 2 years ago

Maintainer

lethanhphuc

commented 2 years ago

Researcher

Yes. The cache should disable. More config for cache header like :

<?php
header('Cache-Control','nocache, no-store, max-age=0, must-revalidate')
            ->header('Pragma','no-cache')
            ->header('Expires','Sun, 02 Jan 1990 00:00:00 GMT');
?>

Axel Guckelsberger validated this vulnerability 2 years ago

lethanhphuc has been awarded the disclosure bounty

The fix bounty is now up for grabs

Axel Guckelsberger marked this as fixed with commit f085bb 2 years ago

Axel Guckelsberger has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation