The UI Performs the Wrong Action in flarum/framework
Sep 27th 2021
Sensitive Data can be exposed even after logouting the application due to ui wrong action
Proof of Concept
1) login to the application dashboard as admin ( https://demo.flarum.site/admin#/) 2) Goto Any pages ( dashboard,permissions etc ) 3) Click logout 4) Click browser back button 5) Will Re-enters to application dashboard and can view and use diffrent options like permissions etc
Any other user can view the data if browser tab remains unclosed after logouting. application must striclty redirect to login page even browser back button is pressed and not allows the exposure of application structure ,
I think one of the key things about this is that no actions can be taken, despite having visual access to the admin UI.
Some people may consider this a vulnerability, but even large entities, like Google, do not believe that it is: https://sites.google.com/site/bughunteruniversity/nonvuln/cached-content-after-logout
They actually state:
In order to access the cached pages, the attacker will need physical access to the targeted login session, or the ability to execute arbitrary code with the current user's privileges on the system.
I agree with them, personally, as, if an attacker has that level of access, they could realistically do far more damage (e.g. install a keylogger on the system, or steal a session token after they log back in), rendering purely visual access to the data trivial in comparison.
Hi There is a simple fix for this issue using no-cache , no-store in response header will help to prevent this issue
We are setting max-age=0 in our headers. Setting this value forces the cache to revalidate, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#preventing_caching. Question is whether we might also need no-store.
Looking at https://stackoverflow.com/a/1383359/717181, I think this makes sense. I am going to Mark As Valid and ensure action is taken at least for the admin area.
Thanks for your disclosure.