The UI Performs the Wrong Action in flarum/framework

Valid

Reported on

Sep 27th 2021

Description

Sensitive Data can be exposed even after logouting the application due to ui wrong action

Proof of Concept

1) login to the application dashboard as admin ( https://demo.flarum.site/admin#/)
2)  Goto Any pages ( dashboard,permissions etc )
3) Click logout
4) Click browser back button
5) Will Re-enters to application dashboard and can view and use diffrent options like permissions etc

Impact

Any other user can view the data if browser tab remains unclosed after logouting. application must striclty redirect to login page even browser back button is pressed and not allows the exposure of application structure ,

We have contacted a member of the flarum/framework team and are waiting to hear back a year ago

0xdhinu modified the report

a year ago

David Wheatley

commented a year ago

I think one of the key things about this is that no actions can be taken, despite having visual access to the admin UI.

Some people may consider this a vulnerability, but even large entities, like Google, do not believe that it is: https://sites.google.com/site/bughunteruniversity/nonvuln/cached-content-after-logout

They actually state:

In order to access the cached pages, the attacker will need physical access to the targeted login session, or the ability to execute arbitrary code with the current user's privileges on the system.

I agree with them, personally, as, if an attacker has that level of access, they could realistically do far more damage (e.g. install a keylogger on the system, or steal a session token after they log back in), rendering purely visual access to the data trivial in comparison.

0xdhinu

commented a year ago

Researcher

Hi There is a simple fix for this issue using no-cache , no-store in response header will help to prevent this issue

Thanks

Daniël Klabbers

commented a year ago

We are setting max-age=0 in our headers. Setting this value forces the cache to revalidate, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#preventing_caching. Question is whether we might also need no-store.

Looking at https://stackoverflow.com/a/1383359/717181, I think this makes sense. I am going to Mark As Valid and ensure action is taken at least for the admin area.

Thanks for your disclosure.

Daniël Klabbers validated this vulnerability a year ago

0xdhinu has been awarded the disclosure bounty

The fix bounty is now up for grabs

Daniël Klabbers marked this as fixed with commit b4772e a year ago

Daniël Klabbers has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the flarum/framework team and are waiting to hear back a year ago

0xdhinu modified the report

a year ago

David Wheatley

commented a year ago

I think one of the key things about this is that no actions can be taken, despite having visual access to the admin UI.

Some people may consider this a vulnerability, but even large entities, like Google, do not believe that it is: https://sites.google.com/site/bughunteruniversity/nonvuln/cached-content-after-logout

They actually state:

In order to access the cached pages, the attacker will need physical access to the targeted login session, or the ability to execute arbitrary code with the current user's privileges on the system.

0xdhinu

commented a year ago

Researcher

Hi There is a simple fix for this issue using no-cache , no-store in response header will help to prevent this issue

Thanks

Daniël Klabbers

commented a year ago

Looking at https://stackoverflow.com/a/1383359/717181, I think this makes sense. I am going to Mark As Valid and ensure action is taken at least for the admin area.

Thanks for your disclosure.

Daniël Klabbers validated this vulnerability a year ago

0xdhinu has been awarded the disclosure bounty

The fix bounty is now up for grabs

Daniël Klabbers marked this as fixed with commit b4772e a year ago

Daniël Klabbers has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation